[Owasp-antisamy] Basic question

Alexander Afonin alexafonin at yahoo.com
Fri Jun 12 11:56:04 EDT 2009


Hi Arshan,
 
This bug (issue 44) is a major concern for us as we need to correctly report validation errors to the users. When do you expect the next release to be available? Is it possible to fix it in version 1.3? Can you recommend any workarounds?
 
Thanks,
Alex

--- On Thu, 6/11/09, Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com> wrote:


From: Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com>
Subject: Re: [Owasp-antisamy] Basic question
To: "Jean Arcand" <jarcand at gmail.com>, owasp-antisamy at lists.owasp.org
Date: Thursday, June 11, 2009, 2:25 PM




AntiSamy is not a great "detector" of XSS, although in a pinch I guess you could use it for that.
 
I wouldn't suggest using it for that in a production site how you're describing. It's not great at this detecting because it is a whitelist API. When users type in bizarre but non-malicious code they will face the same consequences as attackers, and you could possibly lose their business.
 
Aside from that though, you're right. It should be reported. Here is the Google Code issue where this is previously pointed out:
 
http://code.google.com/p/owaspantisamy/issues/detail?id=44
 
As you can see, we will address this by the next version.
 
Thanks,
Arshan
 
 



From: owasp-antisamy-bounces at lists.owasp.org on behalf of Jean Arcand
Sent: Thu 6/11/2009 9:09 AM
To: owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] Basic question


Greetings, 

I've been using the default policy file to scan some user inputs and obvious inputs like "<script type="text/javascript" src="http://www.abc.com/test.js"></script>" does get remove by the scanner but doesn't throw an error (cr.getNumberOfErrors() == 0). 

It's confusing since I was hoping I could rely on the error message list to detect hacking attempts and log the user off, did I missed anything?

Thanks for the help!

-----Inline Attachment Follows-----


_______________________________________________
Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-antisamy



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090612/a025b74e/attachment.html 


More information about the Owasp-antisamy mailing list