[Owasp-antisamy] Why does tags get escaped?
arshan.dabirsiaghi at aspectsecurity.com
Wed Feb 18 15:41:30 EST 2009
Sorry for the quiet response - I talked with Jerry who wrote the .NET version and he is trying to address this and other requests before releasing the next version.
Thanks for helping us stay focused! We do need nudges every now and again.
From: owasp-antisamy-bounces at lists.owasp.org on behalf of Mike Christensen
Sent: Wed 2/18/2009 3:31 PM
To: owasp-antisamy at lists.owasp.org
Subject: Re: [Owasp-antisamy] Why does tags get escaped?
I'm sending this again as I never got a response to it..
Mike Christensen wrote:
> Hi guys - there appears to be a bug in AntiSamy (actually it might be
> more accurate to say there's a bug in the HtmlAgilityPack) that's
> kinda driving me nuts. It appears if you enter the HTML:
> Hello There
> It gets converted to:
> Which is obviously not what I want. This is happening in
> AntiSamyDOMScanner.cs in the scan function on this line:
> string finalCleanHTML = doc.DocumentNode.InnerHtml;
> It appears the InnerHtml property actually escapes markup within the
> document. Are people aware of this issue and is there any documented
> work-around or planned fix? I think it's perfectly valid for HTML to
> safely contain these entities and I don't want markup to be escaped
> and displayed back to my users. For now, I've worked around this with:
> res = res.Replace("&nbsp;", " ");
> But that's a bit lame <g>
Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-antisamy