[Owasp-antisamy] Upgrading NekoHTML?

Jason Li jason.li at owasp.org
Fri Dec 25 00:52:56 EST 2009


The problem is that there is an error in the NekoHTML parser that
causes that stack overflow when dealing with certain malicious HTML -
which is especially bad given the purpose of AntiSamy to protect
against malicious HTML.

Despite the fact that we have brought this bug to the attention of the
Neko developers and offered a viable patch, last time I checked with
Arshan, it had been rejected by the developers.

I haven't personally looked at the latest version of NekoHTML, but I
imagine it would be very quick to apply the same patch to the latest
version of NekoHTML.

That's probably something we will look into doing after the holidays.

Thanks for bringing the new version to our attention!

-Jason

On Thu, Dec 24, 2009 at 1:16 PM, Dan Rabe <dan.rabe at oracle.com> wrote:
> Just curious if anyone has looked at using AntiSamy with the latest
> NekoHTML? AntiSamy is using 1.9.11; the latest NekoHTML is 1.9.13. In
> general I like to use the latest libraries available, but I noticed that
> upgrading the NekoHTML jar results in more failures in AntiSamyTest (in
> both 1.3 and current). I also have an example of HTML generated by Word
> 2007 (when you copy a fragment from a Word document) that results in a
> stack overflow in NekoHTML 1.9.13, but not 1.9.11. But then I look at
> the changelog for NekoHTML and see that they've fixed some fairly
> serious bugs (like an infinite loop). All things considered, a
> StackOverflowError is easier to live with than an infinite loop!
>
> Thanks,
> --Dan
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>


More information about the Owasp-antisamy mailing list