[Owasp-antisamy] Why does   tags get escaped?

Mike Christensen imaudi at comcast.net
Wed Feb 18 15:31:50 EST 2009


I'm sending this again as I never got a response to it..

Mike Christensen wrote:
> Hi guys - there appears to be a bug in AntiSamy (actually it might be 
> more accurate to say there's a bug in the HtmlAgilityPack) that's 
> kinda driving me nuts.  It appears if you enter the HTML:
>
> Hello There
>
> It gets converted to:
>
> Hello There
>
> Which is obviously not what I want.  This is happening in 
> AntiSamyDOMScanner.cs in the scan function on this line:
>
> string finalCleanHTML = doc.DocumentNode.InnerHtml;
>
> It appears the InnerHtml property actually escapes markup within the 
> document.  Are people aware of this issue and is there any documented 
> work-around or planned fix?  I think it's perfectly valid for HTML to 
> safely contain these entities and I don't want markup to be escaped 
> and displayed back to my users.  For now, I've worked around this with:
>
> res = res.Replace(" ", " ");
>
> But that's a bit lame <g>
>
> Thanks!
> Mike
>


More information about the Owasp-antisamy mailing list