[Owasp-antisamy] escaping tags

Jason Li jason.li at owasp.org
Mon Mar 23 21:18:40 EDT 2009


Michael,

Yes - there is! Arshan introduced a new directive in AntiSamy 1.3
called the "onUnknownTag" directive. The intention was actually to
address common non-tag elements that commonly occur in text such as
"<grin>", but it should serve your purposes as well.

It's a relatively new feature but you can try downloading the latest
version of AntiSamy and introducing the following directive in your
policy file:

<directive name="onUnknownTag" value="encode"/>

That should give you the functionality that you need. Let us know how
it works out for you!

Arshan - sorry to spoil the surprise.
--
-Jason Li-
-jason.li at owasp.org-



On Mon, Mar 23, 2009 at 1:00 PM, Michael Masters <mmasters at gmail.com> wrote:
> Very interesting! Your use case is exactly what I need. The only thing
> is...I won't know what the xml is. Is there a way to say anything
> that's not an html tag should be HTML encoded?
>
> Thanks!
> Mike
>
> On Sun, Mar 22, 2009 at 9:41 PM, Jason Li <jason.li at owasp.org> wrote:
>> Michael,
>>
>> For the test case you've provided, I believe you'll be much better
>> served by just using a standard HTML Entity Encoder such as the one
>> provided in the OWASP ESAPI project
>> (http://owasp-esapi-java.googlecode.com/svn/trunk_doc/org/owasp/esapi/codecs/HTMLEntityCodec.html).
>> It doesn't seem like you need the rich-text validation that AntiSamy
>> provides.
>>
>> On the other hand, if your use case expects input a little bit more like this:
>> <body>This is an <em>example</em> of some work that I do in school:
>> <my-xml>This is some XML <strong>data</strong> for my
>> project</my-xml></body>
>>
>> And you expect:
>> <body>This is an <em>example</em> of some work that I do in school:
>> &lt;my-xml&gt;This is some XML <strong>data</strong> for my
>> project&lt;/my-xml&gt;</body>
>>
>> Then that's something that AntiSamy could potentially help you out
>> with! If memory serves me correctly, what you can do is add any custom
>> XML tags that you want to the policy file and set the action to
>> encode. For example:
>>
>> <tag name="yourXmlTag" action="encode">
>> </tag>
>>
>> Don't forget to add any attributes that your XML tag may have and the
>> validation strategy for those attributes!
>>
>> Hope that helps!
>> --
>> -Jason Li-
>> -jason.li at owasp.org-
>>
>>
>>
>> On Sun, Mar 22, 2009 at 8:54 PM, Michael Masters <mmasters at gmail.com> wrote:
>>> So here is an example of what the input might look like:
>>>
>>> this is <foo>a</foo> test
>>>
>>> I expect the output to be untouched. Instead...the output is:
>>>
>>> this is test
>>>
>>> The output I'm looking for is something like:
>>>
>>> this is &lt;foo&gt;a&lt;/foo&gt; test
>>>
>>> Could you give me some info on what code I could change to do this? It
>>> would be great if we could make this configurable. From what it sounds
>>> like, this isn't available. I'm willing to implement this if you think
>>> this provides value. It most certainly does for us :)
>>>
>>> Any info on how I can implement this would be great.
>>>
>>> -Mike
>>>
>>> On Fri, Mar 20, 2009 at 3:58 PM, Jason Li <jason.li at owasp.org> wrote:
>>>> Michael,
>>>>
>>>> AntiSamy is designed to work with HTML and CSS, not XML. I can
>>>> envision how you could still leverage AntiSamy but I'm still trying to
>>>> understand your use case.
>>>>
>>>> Are you trying to allow users to enter custom XML whose elements can
>>>> contain HTML?
>>>>
>>>> Can you provide an example input and show what you'd like AntiSamy to
>>>> produce for output?
>>>>
>>>> --
>>>> -Jason Li-
>>>> -jason.li at owasp.org-
>>>>
>>>>
>>>>
>>>> On Fri, Mar 20, 2009 at 5:39 PM, Michael Masters <mmasters at gmail.com> wrote:
>>>>> Hi Jason,
>>>>>
>>>>> Thanks for the reply.
>>>>>
>>>>> The use case I have is where someone is entering xml into a field and
>>>>> I want to HTML Entity Encode it, but I want everything else sanitized
>>>>> by AntiSamy.
>>>>>
>>>>> Currently, AntiSamy removes the markup.
>>>>>
>>>>> Thanks!
>>>>> Mike
>>>>>
>>>>> On Thu, Mar 19, 2009 at 2:01 PM, Jason Li <jason.li at owasp.org> wrote:
>>>>>> Mike,
>>>>>>
>>>>>> AntiSamy has several actions you can take with tags, but escaping them
>>>>>> is not one of them.
>>>>>>
>>>>>> It's something we could add in a future version, but I'd like to
>>>>>> understand what you're hoping to gain by escaping tags through
>>>>>> AntiSamy. You could just HTML Entity Encode the input text without
>>>>>> running it through AntiSamy and achieve the same effect with lower
>>>>>> overhead.
>>>>>>
>>>>>> Are you trying to selectively escape some tags? Can you provide a use
>>>>>> case for this functionality?
>>>>>> --
>>>>>> -Jason Li-
>>>>>> -jason.li at owasp.org-
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2009/3/19 Michael Masters <mmasters at gmail.com>:
>>>>>>> Is there a way to have anti-samy escape the tags instead of removing them?
>>>>>>>
>>>>>>> -Mike
>>>>>>> _______________________________________________
>>>>>>> Owasp-antisamy mailing list
>>>>>>> Owasp-antisamy at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>


More information about the Owasp-antisamy mailing list