[Owasp-antisamy] java heap space error

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Wed Mar 25 15:02:54 EDT 2009

That behavior is the result of an issue discovered with NekoHTML as Jason indicated. I believe it was fixed in 1.9.11. If you can, make sure your NekoHTML jar file is up to date.


-----Original Message-----
From: owasp-antisamy-bounces at lists.owasp.org [mailto:owasp-antisamy-bounces at lists.owasp.org] On Behalf Of Jason Li
Sent: Wednesday, March 25, 2009 2:05 PM
To: Andrew Grosset
Cc: owasp-antisamy at lists.owasp.org
Subject: Re: [Owasp-antisamy] java heap space error


I'm happy to try and help out where I can, but it would be better for
you if you directed questions like the ones you've been asking to the
entire AntiSamy list where our whole development team can read and

This looks like an issue that was identified in NekoHTML, which is the
parser used by AntiSamy to parse HTML.

I'll let Arshan comment on it since he's more familiar with this functionality.
-Jason Li-
-jason.li at owasp.org-

On Wed, Mar 25, 2009 at 12:09 PM, Andrew Grosset <ag5743 at telus.net> wrote:
> Hi Jason,
> I am getting a java heap space error if my text contains this:
>  http://www.example.com/?var=<SCRIPT%20a='>'%20SRC="http://www."></script>
> or http://www.example.com/?var=<SCRIPT%20a=">"%20SRC="http://www."></script>
> I can prevent the error by using the CF code below before passing it to
> antisamy
>   <cfset text = replace(text,""">""","","all")>
>     <cfset text = replace(text,"""<""","","all")>
>     <cfset text = replace(text,"'>'","","all")>
>     <cfset text = replace(text,"'<'","","all")>
> Andrew
Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org

More information about the Owasp-antisamy mailing list