[Owasp-antisamy] Can antisamy scrub more then html/css

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Fri Mar 20 09:14:15 EDT 2009

Not currently. AntiSamy only "guarantees" safety when you stick raw AntiSamy output between a start and end tag - that is the use case. Any other context and it's not reliable. If you want to stick AntiSamy output into a textbox, you can simply HTML-encode it and it should be fine.
For more information on HTML contexts and XSS, check out this article at OWASP (very worth the read):
Hope that helps!


From: owasp-antisamy-bounces at lists.owasp.org on behalf of Eric Kreiser
Sent: Fri 3/20/2009 9:00 AM
To: Owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] Can antisamy scrub more then html/css

so a standard xss issue is if the user enters something which is not
html... but when combined with html would be a vulnerability.  For

x" onmouseover=alert(something)

does antisamy have a solution for this?

Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090320/db579b1c/attachment.html 

More information about the Owasp-antisamy mailing list