[Owasp-antisamy] anythinggoes

Alexander Afonin alexafonin at yahoo.com
Wed Apr 29 03:50:32 EDT 2009


Hello,
 
I'm planning to use AntiSamy 1.3 to validate html emails. I decided to start with "anythinggoes" policy file because none of other policy files seemed close enough to my use case and because it offers the complete set of tags/attributes.
 
1. Some tags/attributes are not mentioned in the policy file. For example, applet tag or summary attribute of table tag. I was expecting to see all html/css tags/attribute in the "anythinggoes" policy with the appropriate action (filter, remove or truncate). What was the reason for omitting some tags/attributes? If a tag/attribute is not listed in the policy file, should I assume that there is a known xss attack that exploits this tag/attribute?
2. My customers would like to be able to use MS Word to compose html. Such html results in a very large number of validation errors as none of MS extensions are listed in the policy file. Again, does that mean that all MS extensions are dangerous?
3. In my application html validation is done on the server and results are returned to flash client. I would like to be able to just return message keys and additional details to the client and let the client construct appropriate error message. Unfortunately, I don't see any easy way of getting structured error details as they come out from CleanResult already formatted (and html encoded) which I don't need. Are there any plans to provide some hooks in the API to customize validation process?
4. In some cases tags get filtered or removed without any error messages reported. For example, I have link tag in html head section configured to be removed. The tag does get removed but no error is reported. Could that be fixed?
 
Thanks in advance.
Alex


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090429/5ffe55ce/attachment.html 


More information about the Owasp-antisamy mailing list