[Owasp-antisamy] Initial thoughts on .Net antisamy

Jerry Hoff jerry.hoff at aspectsecurity.com
Tue Apr 28 13:28:48 EDT 2009


Hi Richard,
 
Thanks for the feedback. I am in agreement with your points, and I will integrate them into Antisamy.net. Arshan, can you attend to point #5, as I don't think I have privileges to alter the name of the google code repository.
 
Thanks,
Jerry


________________________________

From: owasp-antisamy-bounces at lists.owasp.org on behalf of rbirkby at gmail.com
Sent: Fri 4/24/2009 9:35 AM
To: owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] Initial thoughts on .Net antisamy


Greetings,

My first foray into AntiSamy has unfortunately ended with it being unlinkable into my project. Here are some of my thoughts during the investigation:

1) It would be nice if you included NUnit in the distro/svn - currently the project is not buildable except by removing the NUnit refs and setting the Test class to not compile.

2) It would be nice if the policy resources were compiled into the assembly. Not everyone is hosting the AntiSamy assembly inside of the ASP process. For example, I would like to run AntiSamy inside a ServicedComponent dllhost process (allowing AntiSamy to be called from VBScript). 

3) The Java Policy.getInstance API accepts a stream. The .Net API does not. A .Net ServicedComponent doesn't really know which directory it is in, which makes it difficult to obtain a filepath - please add a Stream factory method to Policy (see the patch below).

4) I'd much prefer C# ISO standard naming conventions in the API rather than conventions mimicing Java (ie members are pascal case not camel case). Also in the documentation too: _as is an unlikely name for a local variable.

5) The subversion location is:
http://owaspantisamy.googlecode.com/svn/trunk/dotNet/current/source/ owaspantisamy/

Notice this has an extra space character before owaspantisamy. Surely not intentional?

6) Policy .ctor states it throws a PolicyException. It doesn't, it catches all exceptions and writes to stdout.

7) There's an unused AssemblyInfo.cs in the root of the project.

8) Please give AntiSamy a strong name. There are several deployment scenarios which require a strong name. (this would also require Flute to have a Strong Name too)


Unfortunately, at that point my experiments with AntiSamy had to end. The lack of Strong Name on Flute and inability to give it one due to closed source meant that I'm unable to link against AntiSamy.

I've included my Policy.cs diff/patch which allows Stream support below. It's untested and a bit rough and ready.


Thanks,
Richard


Index: Policy.cs
===================================================================
--- Policy.cs (revision 110)
+++ Policy.cs (working copy)
@@ -114,6 +114,18 @@
return _instance;
}

+ /// <summary> This retrieves a Policy based on the Stream object passed in</summary>
+ /// <param name="stream">A Stream object which contains the XML policy information.
+ /// </param>
+ /// <returns> A populated Policy object based on the XML policy file pointed to by the stream parameter.
+ /// </returns>
+ /// <throws> PolicyException If there is a problem parsing the file. </throws>
+ public static Policy getInstance(Stream stream)
+ {
+ _instance = new Policy(stream);
+ return _instance;
+ }
+
/// <summary> Load the policy from an XML file.</summary>
/// <param name="file">Load a policy from the File object.
/// </param>
@@ -131,26 +143,10 @@
{
try
{
- XmlDocument doc = new XmlDocument();
- doc.Load(filename);
-
- XmlNode commonRegularExpressionListNode = doc.GetElementsByTagName("common-regexps")[0];
- this.commonRegularExpressions = parseCommonRegExps(commonRegularExpressionListNode);
-
- XmlNode directiveListNode = doc.GetElementsByTagName("directives")[0];
- this.directives = parseDirectives(directiveListNode);
-
- XmlNode commonAttributeListNode = doc.GetElementsByTagName("common-attributes")[0];
- this.commonAttributes = parseCommonAttributes(commonAttributeListNode);
-
- XmlNode globalAttributesListNode = doc.GetElementsByTagName("global-tag-attributes")[0];
- this.globalAttributes = parseGlobalAttributes(globalAttributesListNode);
-
- XmlNode tagListNode = doc.GetElementsByTagName("tag-rules")[0];
- this.tagRules = parseTagRules(tagListNode);
-
- XmlNode cssListNode = doc.GetElementsByTagName("css-rules")[0];
- this.cssRules = parseCSSRules(cssListNode);
+ using(FileStream stream = File.OpenRead(filename))
+ {
+ parsePolicyStream(stream);
+ }
}
catch (Exception ex)
{
@@ -159,8 +155,43 @@
}
}

+ /// <summary> Load the policy from an XML stream.</summary>
+ /// <param name="stream">Load a policy from the stream specified.
+ /// </param>
+ /// <throws> PolicyException </throws>
+ private Policy(Stream stream)
+ {
+ parsePolicyStream(stream);
+ }

+ /// <summary>
+ /// Parses the policy stream.
+ /// </summary>
+ /// <param name="stream">The stream.</param>
+ private void parsePolicyStream(Stream stream)
+ {
+ XmlDocument doc = new XmlDocument();
+ doc.Load(stream);

+ XmlNode commonRegularExpressionListNode = doc.GetElementsByTagName("common-regexps")[0];
+ this.commonRegularExpressions = parseCommonRegExps(commonRegularExpressionListNode);
+
+ XmlNode directiveListNode = doc.GetElementsByTagName("directives")[0];
+ this.directives = parseDirectives(directiveListNode);
+
+ XmlNode commonAttributeListNode = doc.GetElementsByTagName("common-attributes")[0];
+ this.commonAttributes = parseCommonAttributes(commonAttributeListNode);
+
+ XmlNode globalAttributesListNode = doc.GetElementsByTagName("global-tag-attributes")[0];
+ this.globalAttributes = parseGlobalAttributes(globalAttributesListNode);
+
+ XmlNode tagListNode = doc.GetElementsByTagName("tag-rules")[0];
+ this.tagRules = parseTagRules(tagListNode);
+
+ XmlNode cssListNode = doc.GetElementsByTagName("css-rules")[0];
+ this.cssRules = parseCSSRules(cssListNode); 
+ }
+
/// <summary> Go through <directives> section of the policy file.</summary>
/// <param name="directiveListNode">Top level of <directives>
/// </param>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090428/4ceb16f8/attachment.html 


More information about the Owasp-antisamy mailing list