[Owasp-antisamy] Basic question
arshan.dabirsiaghi at aspectsecurity.com
Thu Jun 11 09:25:09 EDT 2009
AntiSamy is not a great "detector" of XSS, although in a pinch I guess you could use it for that.
I wouldn't suggest using it for that in a production site how you're describing. It's not great at this detecting because it is a whitelist API. When users type in bizarre but non-malicious code they will face the same consequences as attackers, and you could possibly lose their business.
Aside from that though, you're right. It should be reported. Here is the Google Code issue where this is previously pointed out:
As you can see, we will address this by the next version.
From: owasp-antisamy-bounces at lists.owasp.org on behalf of Jean Arcand
Sent: Thu 6/11/2009 9:09 AM
To: owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] Basic question
It's confusing since I was hoping I could rely on the error message list to detect hacking attempts and log the user off, did I missed anything?
Thanks for the help!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-antisamy