[Owasp-antisamy] antisamy.net question

Jerry Hoff jerry.hoff at aspectsecurity.com
Thu Apr 30 22:31:48 EDT 2009


Hi Shawn,
 
The string you sent in was:
 
antisamy.scan("test<script>alert(document.cookie)</script>", policy)
 
The error message you received was:
 
"The <b>script</b> tag has been removed for security reasons."
 
So the error message is saying the single <script></script> set of tags you sent in has been removed.  The word "test" should still make it through.
 
Thanks,
Jerry
 

________________________________

From: owasp-antisamy-bounces at lists.owasp.org on behalf of Shawn Shannon
Sent: Wed 4/29/2009 9:17 AM
To: owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] antisamy.net question



Hello,

 

I am just starting to look into the antisamy.net coding.

 

When I try the following sample:

 

                    AntiSamy antisamy = new AntiSamy();

                    Policy policy = null;

                    policy = Policy.getInstance("antisamy.xml");

                    int count = antisamy.scan("test<script>alert(document.cookie)</script>", policy).getNumberOfErrors();

 

                    System.Collections.ArrayList list = antisamy.scan("test<script>alert(document.cookie)</script>", policy).getErrorMessages();

 

The single error message I receive is:

 

? list[0]

"The <b>script</b> tag has been removed for security reasons."

 

Why is the error message not referring to the <script> tag found?

 

 


________________________________

Attention:
The information contained in this message and or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any system and destroy any copies.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090430/caa4cf7e/attachment.html 


More information about the Owasp-antisamy mailing list