[Owasp-antisamy] policy file questions
arshan.dabirsiaghi at aspectsecurity.com
Fri Mar 27 18:30:41 EDT 2009
First of all, I'm moved your question to the AntiSamy mailing list where everyone can see your message and possibly offer advice. In the future, this is where general questions should go.
Second, thanks for using AntiSamy! I'm psyched every time I see another download. =]
The best documentation I can recommend for understanding AntiSamy is the paper:
To answer your specific questions
1. The "tags-to-encode" section of the policy file denotes those tags that you'd rather encode than filter out. Some users wanted to put this feature in so that users who put in text like "hey joe how's your mom? <g>" wouldn't the "grin" tag/emoticon thing filtered out.
So, the only entries I left for the default policy file are <g> and <grin> since apparently those are pretty common.
2. Let me specify the difference here between action="remove", action="filter" (which is default) and action="validate". Before I do that though, you should understand my terminology. Consider the following snippet:
In the DOM, that is 2 separate elements. The parent element is <script>, and the child element is the text node "alert(document.domain)".
With that in mind, let's talk about the actions. The "remove" action removes both DOM elements in question - the parent tag and the text children. The "filter" action removes the parent tag, but promotes the text content. If you set the action on "script" to "filter", the same text, after being run through the validator, would be this:
3. Your third question you sent in a seperate email, but I'm going to put it here in order to reduce traffic:
> Where can I find the necessary libs to build AntiSamy? I'm not seeing classes for the org.w3c.css.sac
Normally Java projects don't necessarily include required libraries so that you can get those libraries directly from the official distributor and allow you to avoid "jar hell."
However, if you're into that kind of thing, we have packaged the libraries together for development purposes in the past. You can download that zip here:
From: mailman-bounces at lists.owasp.org on behalf of Frank Pedroza
Sent: Fri 3/27/2009 4:46 PM
To: owasp-antisamy-owner at lists.owasp.org
Subject: policy file questions
I'm just getting started with AntiSamy and am very excited about. In trying to learn about it though, I'm finding the documentation a little lacking (which is to be expected). My specific questions have to do with the policy files.
1) What is the purpose of the <tags-to-encode> tag?
2) I don't want to allow the <script> tag at all. Do I need to include the following in the <tag-rules>? I'd prefer that validation just fail if someone tries to use these tags.
<tag name="script" action="remove"/>
<tag name="noscript" action="remove"/>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-antisamy