[Owasp-antisamy] Basic question

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Thu Jun 11 09:25:09 EDT 2009

AntiSamy is not a great "detector" of XSS, although in a pinch I guess you could use it for that.
I wouldn't suggest using it for that in a production site how you're describing. It's not great at this detecting because it is a whitelist API. When users type in bizarre but non-malicious code they will face the same consequences as attackers, and you could possibly lose their business.
Aside from that though, you're right. It should be reported. Here is the Google Code issue where this is previously pointed out:
http://code.google.com/p/owaspantisamy/issues/detail?id=44 <http://code.google.com/p/owaspantisamy/issues/detail?id=44> 
As you can see, we will address this by the next version.


From: owasp-antisamy-bounces at lists.owasp.org on behalf of Jean Arcand
Sent: Thu 6/11/2009 9:09 AM
To: owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] Basic question


I've been using the default policy file to scan some user inputs and obvious inputs like "<script type="text/javascript" src="http://www.abc.com/test.js"></script>" does get remove by the scanner but doesn't throw an error (cr.getNumberOfErrors() == 0). 

It's confusing since I was hoping I could rely on the error message list to detect hacking attempts and log the user off, did I missed anything?

Thanks for the help!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090611/26387a2c/attachment.html 

More information about the Owasp-antisamy mailing list