[Owasp-antisamy] Can antisamy scrub more then html/css

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Fri Mar 20 09:14:15 EDT 2009


Not currently. AntiSamy only "guarantees" safety when you stick raw AntiSamy output between a start and end tag - that is the use case. Any other context and it's not reliable. If you want to stick AntiSamy output into a textbox, you can simply HTML-encode it and it should be fine.
 
For more information on HTML contexts and XSS, check out this article at OWASP (very worth the read):
 
https://www.owasp.org/index.php?title=XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
 
Hope that helps!
 
Arshan

________________________________

From: owasp-antisamy-bounces at lists.owasp.org on behalf of Eric Kreiser
Sent: Fri 3/20/2009 9:00 AM
To: Owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] Can antisamy scrub more then html/css



so a standard xss issue is if the user enters something which is not
html... but when combined with html would be a vulnerability.  For
instance

x" onmouseover=alert(something)

does antisamy have a solution for this?

Thanks
Eric
_______________________________________________
Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-antisamy


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090320/db579b1c/attachment.html 


More information about the Owasp-antisamy mailing list