[Owasp-antisamy] disable encoding

Frank Pedroza frank.pedroza at gmail.com
Wed Apr 29 17:20:21 EDT 2009


So alternatively, what about a way to apply the same encoding to my raw html
so I can compare afterwards?  I suppose I could write the encoder myself,
but I'd like to guarantee the same encoding implementation.

On Wed, Apr 29, 2009 at 2:55 PM, Arshan Dabirsiaghi <
arshan.dabirsiaghi at aspectsecurity.com> wrote:

>  I can't think of a way to do that safely considering our architecture.
> The serialization-to-(X)HTML process is what makes that '<' a '&lt;', and
> disabling that encoding is possible but could lead to security issues.
>
> Arshan
>
> ------------------------------
> *From:* owasp-antisamy-bounces at lists.owasp.org on behalf of Frank Pedroza
> *Sent:* Wed 4/29/2009 4:34 PM
> *To:* AntiSamy
> *Subject:* [Owasp-antisamy] disable encoding
>
> This seems like something that should have already been asked, but maybe
> not because I don't see it in the mailing archives.
>
> Is it possible to disable the html encoding?  Specifically, I'm doing the
> following:
>
> ----------------------------------------------------------------
> CleanResults results = antisamy.scan(html);  // antisamy is an AntiSamy
> instance I've initialized with a policy file
>
> String cleanHtml = results.getCleanHTML();
>
> if (html.equalsIgnoreCase(cleanHtml) == false) {
>   // user input is not valid
> }
> else if (results.getErrorMessages().isEmpty() == false) {
>   // user input is invalid
> }
> ----------------------------------------------------------------
>
> My test input is '1 < 2' and is getting translated into '1 &lt; 2'.
>



-- 
Frank M. Pedroza
-------------------------------------------------------------------
Do not pray for easy lives. Pray to be stronger men. Do not pray for tasks
equal to your powers. Pray for powers equal to your tasks.
-- John F. Kennedy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090429/625d58fd/attachment.html 


More information about the Owasp-antisamy mailing list