[Owasp-antisamy] Why does   tags get escaped?

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Wed Feb 18 15:46:54 EST 2009


We are always happy to take patches of any kind. Either in regards to new features you'd like, or to fix bugs, or to implement functionality found in the Java version. 
 
=]
 
Arshan

________________________________

From: Mike Christensen [mailto:imaudi at comcast.net]
Sent: Wed 2/18/2009 3:45 PM
To: Arshan Dabirsiaghi
Cc: owasp-antisamy at lists.owasp.org
Subject: Re: [Owasp-antisamy] Why does   tags get escaped?


Thanks!  Let me know if there's anything I can do to help, I don't have a ton of free time but I'm definitely interested in this project..

Mike

Arshan Dabirsiaghi wrote: 

	Sorry for the quiet response - I talked with Jerry who wrote the .NET version and he is trying to address this and other requests before releasing the next version. 
	 
	Thanks for helping us stay focused! We do need nudges every now and again.
	 
	Arshan

________________________________

	From: owasp-antisamy-bounces at lists.owasp.org on behalf of Mike Christensen
	Sent: Wed 2/18/2009 3:31 PM
	To: owasp-antisamy at lists.owasp.org
	Subject: Re: [Owasp-antisamy] Why does   tags get escaped?
	
	

	I'm sending this again as I never got a response to it..
	
	Mike Christensen wrote:
	> Hi guys - there appears to be a bug in AntiSamy (actually it might be
	> more accurate to say there's a bug in the HtmlAgilityPack) that's
	> kinda driving me nuts.  It appears if you enter the HTML:
	>
	> Hello There
	>
	> It gets converted to:
	>
	> Hello There
	>
	> Which is obviously not what I want.  This is happening in
	> AntiSamyDOMScanner.cs in the scan function on this line:
	>
	> string finalCleanHTML = doc.DocumentNode.InnerHtml;
	>
	> It appears the InnerHtml property actually escapes markup within the
	> document.  Are people aware of this issue and is there any documented
	> work-around or planned fix?  I think it's perfectly valid for HTML to
	> safely contain these entities and I don't want markup to be escaped
	> and displayed back to my users.  For now, I've worked around this with:
	>
	> res = res.Replace(" ", " ");
	>
	> But that's a bit lame <g>
	>
	> Thanks!
	> Mike
	>
	_______________________________________________
	Owasp-antisamy mailing list
	Owasp-antisamy at lists.owasp.org
	https://lists.owasp.org/mailman/listinfo/owasp-antisamy
	

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090218/67ee0d81/attachment.html 


More information about the Owasp-antisamy mailing list