[Owasp-antisamy] escaping tags

Jason Li jason.li at owasp.org
Sun Mar 22 23:41:10 EDT 2009


Michael,

For the test case you've provided, I believe you'll be much better
served by just using a standard HTML Entity Encoder such as the one
provided in the OWASP ESAPI project
(http://owasp-esapi-java.googlecode.com/svn/trunk_doc/org/owasp/esapi/codecs/HTMLEntityCodec.html).
It doesn't seem like you need the rich-text validation that AntiSamy
provides.

On the other hand, if your use case expects input a little bit more like this:
<body>This is an <em>example</em> of some work that I do in school:
<my-xml>This is some XML <strong>data</strong> for my
project</my-xml></body>

And you expect:
<body>This is an <em>example</em> of some work that I do in school:
&lt;my-xml&gt;This is some XML <strong>data</strong> for my
project&lt;/my-xml&gt;</body>

Then that's something that AntiSamy could potentially help you out
with! If memory serves me correctly, what you can do is add any custom
XML tags that you want to the policy file and set the action to
encode. For example:

<tag name="yourXmlTag" action="encode">
</tag>

Don't forget to add any attributes that your XML tag may have and the
validation strategy for those attributes!

Hope that helps!
--
-Jason Li-
-jason.li at owasp.org-



On Sun, Mar 22, 2009 at 8:54 PM, Michael Masters <mmasters at gmail.com> wrote:
> So here is an example of what the input might look like:
>
> this is <foo>a</foo> test
>
> I expect the output to be untouched. Instead...the output is:
>
> this is test
>
> The output I'm looking for is something like:
>
> this is &lt;foo&gt;a&lt;/foo&gt; test
>
> Could you give me some info on what code I could change to do this? It
> would be great if we could make this configurable. From what it sounds
> like, this isn't available. I'm willing to implement this if you think
> this provides value. It most certainly does for us :)
>
> Any info on how I can implement this would be great.
>
> -Mike
>
> On Fri, Mar 20, 2009 at 3:58 PM, Jason Li <jason.li at owasp.org> wrote:
>> Michael,
>>
>> AntiSamy is designed to work with HTML and CSS, not XML. I can
>> envision how you could still leverage AntiSamy but I'm still trying to
>> understand your use case.
>>
>> Are you trying to allow users to enter custom XML whose elements can
>> contain HTML?
>>
>> Can you provide an example input and show what you'd like AntiSamy to
>> produce for output?
>>
>> --
>> -Jason Li-
>> -jason.li at owasp.org-
>>
>>
>>
>> On Fri, Mar 20, 2009 at 5:39 PM, Michael Masters <mmasters at gmail.com> wrote:
>>> Hi Jason,
>>>
>>> Thanks for the reply.
>>>
>>> The use case I have is where someone is entering xml into a field and
>>> I want to HTML Entity Encode it, but I want everything else sanitized
>>> by AntiSamy.
>>>
>>> Currently, AntiSamy removes the markup.
>>>
>>> Thanks!
>>> Mike
>>>
>>> On Thu, Mar 19, 2009 at 2:01 PM, Jason Li <jason.li at owasp.org> wrote:
>>>> Mike,
>>>>
>>>> AntiSamy has several actions you can take with tags, but escaping them
>>>> is not one of them.
>>>>
>>>> It's something we could add in a future version, but I'd like to
>>>> understand what you're hoping to gain by escaping tags through
>>>> AntiSamy. You could just HTML Entity Encode the input text without
>>>> running it through AntiSamy and achieve the same effect with lower
>>>> overhead.
>>>>
>>>> Are you trying to selectively escape some tags? Can you provide a use
>>>> case for this functionality?
>>>> --
>>>> -Jason Li-
>>>> -jason.li at owasp.org-
>>>>
>>>>
>>>>
>>>> 2009/3/19 Michael Masters <mmasters at gmail.com>:
>>>>> Is there a way to have anti-samy escape the tags instead of removing them?
>>>>>
>>>>> -Mike
>>>>> _______________________________________________
>>>>> Owasp-antisamy mailing list
>>>>> Owasp-antisamy at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>>>>
>>>>
>>>
>>
>


More information about the Owasp-antisamy mailing list