[Owasp-antisamy] global-tag-attributes and tags-to-encode

Jason Li jason.li at owasp.org
Fri Apr 30 08:58:19 EDT 2010


If I recall correctly, the <global-tag-attributes> element is meant to
support tag attributes such as "title" and "lang" that are widely and
relatively safely used in HTML tags but are not actually part of the
HTML standard.

Similarly, with the <tags-to-encode> element, these are "tags" that
are often encountered in online content that are not actually "tags"
and should always be HTML-entity encoded. For example, online forum
postings often contain <g> or <grin> as a substitute for the smiley
face emoticon. This is not an HTML tag, but the AntiSamy parser sees
the <g> and tries to match it against the AntiSamy policy and rejects
it when <g> can't be found. As a result, the <g> would have been
rejected and the user would be confused about the "danger" of <g>.
Instead, with this directive, you can specify text sequences within <
> brackets that you expect to see in rich text that you're validating
with AntiSamy. Any such "tags" will always be entity encoded.

Hope that helps!


On Sat, Apr 24, 2010 at 10:45 PM, Vadim Lennikov <vadim3333 at yahoo.com> wrote:
> Hello all, I have question regarding this section that I've seen in couple
> of policy files given with Antisamy:
>     <!--
>     This requires normal updates as browsers continue to diverge from the
> W3C and each other. As long as the browser wars continue
>     this is going to continue. I'm not sure war is the right word for what's
> going on. Doesn't somebody have to win a war after
>     a while?
>      -->
>     <global-tag-attributes>
>         <attribute name="title"/>
>         <attribute name="lang"/>
>     </global-tag-attributes>
>     <tags-to-encode>
>         <tag>g</tag>
>         <tag>grin</tag>
>     </tags-to-encode>
> I find no documents for what these do and I need to know if this is
> something to configure so I have perfect policy file. I see no documents on
> how to make policy file here:
> http://code.google.com/p/owaspantisamy/downloads/list
> Bye, Vadim
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy

More information about the Owasp-antisamy mailing list