[Owasp-antisamy] Owasp-antisamy Digest, Vol 18, Issue 10

Jason Copp jason at singsnap.com
Tue May 26 15:12:28 EDT 2009

Here is the excerpt from my policy file:

        <tag name="param" action="validate">
            <attribute name="name"/>
            <attribute name="value">
                    <regexp name="anything"/>
            <attribute name="wmode">
                    <literal value="transparent"/>
                    <literal value="window"/>
                    <literal value="opaque"/>

However, with this, <param> tags are completely stripped. So, a bug I would


On Tue, May 26, 2009 at 3:01 PM, Arshan Dabirsiaghi <
arshan.dabirsiaghi at aspectsecurity.com> wrote:

>  The param being swallowed, if it's allowed in your policy file,
> represents a bug. It might be a regression for the recent "formjacking" type
> of attack we tried to prevent.
> Did I miss an email that had some example strings? I'd like to be able look
> at what's happening here.
> Also, it should be noted that allowing arbitrary <embed> content is
> essentially the same as allowing <script> content. You can use the embed tag
> to import malicious Flash that executes arbitrary JavaScript, or use the
> data scheme to execute JavaScript directly [1].
> Arshan
> [1] http://ha.ckers.org/xss.html
> ------------------------------
> *From:* owasp-antisamy-bounces at lists.owasp.org on behalf of Jason Copp
> *Sent:* Tue 5/26/2009 2:40 PM
> *To:* Andrew Grosset
> *Cc:* owasp-antisamy at lists.owasp.org
> *Subject:* Re: [Owasp-antisamy] Owasp-antisamy Digest, Vol 18, Issue 10
> That is nearly my exact work-around, but now I've found that antisamy barks
> up the CSS that myspace css generators make, so it mustn't be 100%
> compatible. We fully allow object and embed, and style sheets, etc, just
> like myspace, so I am going with a blacklist for now. We use additional
> behind the scenes protection for the main concern (cookie hijacking) and
> must balance security with expectations, as always.
> Thanks though,
> Jason
> On Tue, May 26, 2009 at 1:16 PM, Andrew Grosset <ag5743 at telus.net> wrote:
>> owasp-antisamy-request at lists.owasp.org wrote:
>> Hi folks,
>> I've got antisamy 1.3 running under CF8. I'm unable to allow the <param>
>> tag regardless of it's inclusion in a policy file or not. I can add any
>> other tag, including object and applet.
>> I searched the source to determine if it is hard coded but didn't find it
>> (but that was tough since the word param is all over the source).
>> Additionally, is there a directive or some other method of specifically
>> allowing a tag that has no content? The <param> tag used on sites like
>> youtube in their embed code is in this format and I wish to allow it.
>> Thanks,
>> Jason
>> --
>> Find me on SingSnap:
>> http://www.singsnap.com/jason
>> ------------------------------
>> _______________________________________________
>> Owasp-antisamy mailing listOwasp-antisamy at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-antisamy
>> Hi Jason,
>> I convert the youTube object into a gif image with a specific (style)
>> class and  the id of the movie into the title of the image then pass it
>> through anti-samy after that I  convert the image back into a youTube
>> object. Trying to allow <param> or <object> tags under specific
>> circumstances is dangerous to say the least so if allowing a youTube object
>> you have to be real careful that it actually is genuine. All you need to
>> look for with youTube is the id of the movie and parse that to make sure its
>> only alphanumeric and "-" and "_" and "&amp;" then build the object again
>> using that id.
>> Andrew.
>> _______________________________________________
>> Owasp-antisamy mailing list
>> Owasp-antisamy at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
> --
> Find me on SingSnap:
> http://www.singsnap.com/jason


Find me on SingSnap:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20090526/30561ca9/attachment-0001.html 

More information about the Owasp-antisamy mailing list