[Owasp-antisamy] Owasp-antisamy Digest, Vol 18, Issue 10

Jason Copp jason at singsnap.com
Tue May 26 14:40:34 EDT 2009


That is nearly my exact work-around, but now I've found that antisamy barks
up the CSS that myspace css generators make, so it mustn't be 100%
compatible. We fully allow object and embed, and style sheets, etc, just
like myspace, so I am going with a blacklist for now. We use additional
behind the scenes protection for the main concern (cookie hijacking) and
must balance security with expectations, as always.

Thanks though,
Jason

On Tue, May 26, 2009 at 1:16 PM, Andrew Grosset <ag5743 at telus.net> wrote:

>  owasp-antisamy-request at lists.owasp.org wrote:
>
> Hi folks,
>
> I've got antisamy 1.3 running under CF8. I'm unable to allow the <param>
> tag regardless of it's inclusion in a policy file or not. I can add any
> other tag, including object and applet.
>
> I searched the source to determine if it is hard coded but didn't find it
> (but that was tough since the word param is all over the source).
>
> Additionally, is there a directive or some other method of specifically
> allowing a tag that has no content? The <param> tag used on sites like
> youtube in their embed code is in this format and I wish to allow it.
>
>
> Thanks,
> Jason
>
> --
>
> Find me on SingSnap:
> http://www.singsnap.com/jason
>
> ------------------------------
>
> _______________________________________________
> Owasp-antisamy mailing listOwasp-antisamy at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
>  Hi Jason,
>
> I convert the youTube object into a gif image with a specific (style) class
> and  the id of the movie into the title of the image then pass it through
> anti-samy after that I  convert the image back into a youTube object. Trying
> to allow <param> or <object> tags under specific circumstances is dangerous
> to say the least so if allowing a youTube object you have to be real careful
> that it actually is genuine. All you need to look for with youTube is the id
> of the movie and parse that to make sure its only alphanumeric and "-" and
> "_" and "&amp;" then build the object again using that id.
>
> Andrew.
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
>


-- 

Find me on SingSnap:
http://www.singsnap.com/jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090526/486f5664/attachment.html 


More information about the Owasp-antisamy mailing list