[Owasp-antisamy] The release candidate for 1.4.2 is available in a nightly build now

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Wed Dec 1 08:54:44 EST 2010

Most importantly, there is a security issue that's been addressed. But


-          Fixed a bug that allowed certain characters to go unencoded
(no bypass, but still a bug)

-          Added the ability to nest policy files

-          Minor performance enhancements

-          Added error messages that weren't being reported in the SAX


There's some other housekeeping notes:

-          This is our last Java 1.4 release 

-          We're marking the DOM scanner as deprecated. SAX is much
faster, better on memory, and we have test cases for both

-          AntiSamy is being moved into the Maven central repository
(starting with the upcoming 1.4.2 release)


Paul - what is your desired behavior around CDATA?




From: Paul Curren [mailto:pcurren at atlassian.com] 
Sent: Wednesday, December 01, 2010 5:39 AM
To: Arshan Dabirsiaghi
Cc: owasp-antisamy at lists.owasp.org
Subject: Re: [Owasp-antisamy] The release candidate for 1.4.2 is
available in a nightly build now


Hi Arshan. I'd like to schedule a little time to try out 1.4.2 (we use a
reasonable amount of CDATA).


Typically though, my product manager wants to know why we should move to
1.4.2 before he will schedule the time. Do you have an improvements list
or bug fix list or anything like that?




Paul C


On 01/12/2010, at 5:07 AM, Arshan Dabirsiaghi wrote:

Please do field testing on a nightly build if you're using AntiSamy and
use/expect a lot of CDATA from your users. I'm looking to get validation
from people that use it on crazy, programmatically generated CDATA
(e.g., from MS Office products). We want to release 1.4.2 this week and
our behavior around CDATA validation/sanitization has changed in both
the SAX and DOM engines - hopefully for the better (and most definitely


More details will be available later, but if you want to make sure it's
going to work the way you want, now is the time to speak up.




Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20101201/ffebc803/attachment-0001.html 

More information about the Owasp-antisamy mailing list