[Owasp-antisamy] disable encoding

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Wed Apr 29 16:55:12 EDT 2009


I can't think of a way to do that safely considering our architecture. The serialization-to-(X)HTML process is what makes that '<' a '&lt;', and disabling that encoding is possible but could lead to security issues.
 
Arshan

________________________________

From: owasp-antisamy-bounces at lists.owasp.org on behalf of Frank Pedroza
Sent: Wed 4/29/2009 4:34 PM
To: AntiSamy
Subject: [Owasp-antisamy] disable encoding


This seems like something that should have already been asked, but maybe not because I don't see it in the mailing archives.

Is it possible to disable the html encoding?  Specifically, I'm doing the following:

----------------------------------------------------------------
CleanResults results = antisamy.scan(html);  // antisamy is an AntiSamy instance I've initialized with a policy file    
    
String cleanHtml = results.getCleanHTML();
    
if (html.equalsIgnoreCase(cleanHtml) == false) {
  // user input is not valid
}
else if (results.getErrorMessages().isEmpty() == false) {
  // user input is invalid
}
----------------------------------------------------------------

My test input is '1 < 2' and is getting translated into '1 &lt; 2'.  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090429/cb46a48a/attachment.html 


More information about the Owasp-antisamy mailing list