[Owasp-antisamy] escaping tags

Jason Li jason.li at owasp.org
Fri Mar 20 17:58:34 EDT 2009


AntiSamy is designed to work with HTML and CSS, not XML. I can
envision how you could still leverage AntiSamy but I'm still trying to
understand your use case.

Are you trying to allow users to enter custom XML whose elements can
contain HTML?

Can you provide an example input and show what you'd like AntiSamy to
produce for output?

-Jason Li-
-jason.li at owasp.org-

On Fri, Mar 20, 2009 at 5:39 PM, Michael Masters <mmasters at gmail.com> wrote:
> Hi Jason,
> Thanks for the reply.
> The use case I have is where someone is entering xml into a field and
> I want to HTML Entity Encode it, but I want everything else sanitized
> by AntiSamy.
> Currently, AntiSamy removes the markup.
> Thanks!
> Mike
> On Thu, Mar 19, 2009 at 2:01 PM, Jason Li <jason.li at owasp.org> wrote:
>> Mike,
>> AntiSamy has several actions you can take with tags, but escaping them
>> is not one of them.
>> It's something we could add in a future version, but I'd like to
>> understand what you're hoping to gain by escaping tags through
>> AntiSamy. You could just HTML Entity Encode the input text without
>> running it through AntiSamy and achieve the same effect with lower
>> overhead.
>> Are you trying to selectively escape some tags? Can you provide a use
>> case for this functionality?
>> --
>> -Jason Li-
>> -jason.li at owasp.org-
>> 2009/3/19 Michael Masters <mmasters at gmail.com>:
>>> Is there a way to have anti-samy escape the tags instead of removing them?
>>> -Mike
>>> _______________________________________________
>>> Owasp-antisamy mailing list
>>> Owasp-antisamy at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy

More information about the Owasp-antisamy mailing list