[Owasp-antisamy] AntiSamy versus ESAPI?

Jim Manico jim at manico.net
Tue Aug 4 19:10:31 EDT 2009


On ESAPI, AntiSamy, and Input Validation.

When accepting HTML from a user that you then need to render, use AntiSamy to set a policy for what HTML you accept as input from users. Some also use AntiSamy as an "output policy checker" for HTML output that came from other users.

Use ESAPI's validation for pretty much all else.

If you need to do secure file upload, that is a WAY more complex issue that ESAPI only partially addresses, currently.

- Jim
  ----- Original Message ----- 
  From: Joanne Sun 
  To: owasp-antisamy at lists.owasp.org 
  Sent: Tuesday, August 04, 2009 11:49 AM
  Subject: [Owasp-antisamy] AntiSamy versus ESAPI?


  Hi,

  Can anybody point a similar page

  http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

  to use AntiSamy for XSS prevention? All the rules in the page use ESAPI.

  Can you tell me when to use AntiSamy, when to use ESAPI?

  Thanks,

  Joanne


------------------------------------------------------------------------------


  _______________________________________________
  Owasp-antisamy mailing list
  Owasp-antisamy at lists.owasp.org
  https://lists.owasp.org/mailman/listinfo/owasp-antisamy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090804/0154b7b8/attachment.html 


More information about the Owasp-antisamy mailing list