[Owasp-antisamy] anythinggoes

Marcin Wielgoszewski marcinw86 at gmail.com
Wed Apr 29 10:29:47 EDT 2009


Hi Alex,

The anythinggoes policy, by no means can account for each and every
single html/css/tag/attribute that is interpreted by every conceivable
browser out there.  This is why you may find unstandardized items
missing from the policy.  I encourage you to explore the MS Word HTML
components, and submit your modifications to the list.

Thanks,
Marcin Wielgoszewski

On Wed, Apr 29, 2009 at 3:50 AM, Alexander Afonin <alexafonin at yahoo.com> wrote:
> Hello,
>
> I'm planning to use AntiSamy 1.3 to validate html emails. I decided to start
> with "anythinggoes" policy file because none of other policy files seemed
> close enough to my use case and because it offers the complete set of
> tags/attributes.
>
> 1. Some tags/attributes are not mentioned in the policy file. For example,
> applet tag or summary attribute of table tag. I was expecting to see all
> html/css tags/attribute in the "anythinggoes" policy with the appropriate
> action (filter, remove or truncate). What was the reason for omitting some
> tags/attributes? If a tag/attribute is not listed in the policy file, should
> I assume that there is a known xss attack that exploits this tag/attribute?
> 2. My customers would like to be able to use MS Word to compose html. Such
> html results in a very large number of validation errors as none of MS
> extensions are listed in the policy file. Again, does that mean that all MS
> extensions are dangerous?
> 3. In my application html validation is done on the server and results are
> returned to flash client. I would like to be able to just return message
> keys and additional details to the client and let the client construct
> appropriate error message. Unfortunately, I don't see any easy way of
> getting structured error details as they come out from CleanResult already
> formatted (and html encoded) which I don't need. Are there any plans to
> provide some hooks in the API to customize validation process?
> 4. In some cases tags get filtered or removed without any error messages
> reported. For example, I have link tag in html head section configured to be
> removed. The tag does get removed but no error is reported. Could that be
> fixed?
>
> Thanks in advance.
> Alex
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
>


More information about the Owasp-antisamy mailing list