[Owasp-antisamy] strip ALL html tags,js,css with antisamy?

Sam Gendler sgendler at ideasculptor.com
Thu Mar 12 22:25:17 EDT 2009


It is easy enough to use something like the slashdot policy file on
fields that are intended to have some formatting, but is it possible
to configure an antisamy policy file such that antisamy will very
rapidly strip out ALL html tags for fields like a user's name, which
may well be rendered to the page, too?  I can set up validation that
will limit the character set and structure, and I always html-escape
such strings when they are outbound so tags should never be
interpreted by the browser, but it would be an extra level of security
to simply strip all such content at submission time.  It occurs to me
that default behaviour must be to strip all tags that aren't
explicitly listed in the policy file, so I can probably just have an
empty tag-rules section in the policy file, but is there a way to
specify whether the behaviour should be tag removal or tag filtering
in that case?  I'd really rather have tag filtering in most instances.

Also, in my search through the archives, I saw mention of reusing the
instance with different policy objects in order to avoid policy
parsing overhead.  There was mention of future changes in support of
this.  I'm curious as to whether that is now a viable strategy.  Is
the AntiSamy object threadsafe?  What about the policy object?  Can I
simply instantiate a single AntiSamy singleton and a single instance
of each supported policy which can then be shared be all processing
threads?


More information about the Owasp-antisamy mailing list