[Owasp-antisamy] disable encoding

Frank Pedroza frank.pedroza at gmail.com
Wed Apr 29 17:24:09 EDT 2009


Guess I spoke too soon...

HTMLEntityEncoded.htmlEntityEncode()

On Wed, Apr 29, 2009 at 3:20 PM, Frank Pedroza <frank.pedroza at gmail.com>wrote:

> So alternatively, what about a way to apply the same encoding to my raw
> html so I can compare afterwards?  I suppose I could write the encoder
> myself, but I'd like to guarantee the same encoding implementation.
>
>
> On Wed, Apr 29, 2009 at 2:55 PM, Arshan Dabirsiaghi <
> arshan.dabirsiaghi at aspectsecurity.com> wrote:
>
>>  I can't think of a way to do that safely considering our architecture.
>> The serialization-to-(X)HTML process is what makes that '<' a '&lt;', and
>> disabling that encoding is possible but could lead to security issues.
>>
>> Arshan
>>
>> ------------------------------
>> *From:* owasp-antisamy-bounces at lists.owasp.org on behalf of Frank Pedroza
>> *Sent:* Wed 4/29/2009 4:34 PM
>> *To:* AntiSamy
>> *Subject:* [Owasp-antisamy] disable encoding
>>
>> This seems like something that should have already been asked, but maybe
>> not because I don't see it in the mailing archives.
>>
>> Is it possible to disable the html encoding?  Specifically, I'm doing the
>> following:
>>
>> ----------------------------------------------------------------
>> CleanResults results = antisamy.scan(html);  // antisamy is an AntiSamy
>> instance I've initialized with a policy file
>>
>> String cleanHtml = results.getCleanHTML();
>>
>> if (html.equalsIgnoreCase(cleanHtml) == false) {
>>   // user input is not valid
>> }
>> else if (results.getErrorMessages().isEmpty() == false) {
>>   // user input is invalid
>> }
>> ----------------------------------------------------------------
>>
>> My test input is '1 < 2' and is getting translated into '1 &lt; 2'.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090429/b887499e/attachment.html 


More information about the Owasp-antisamy mailing list