[Owasp-antisamy] Antisamy with IE

Jason Li jason.li at owasp.org
Fri Dec 10 09:59:17 EST 2010


AntiSamy should have no context for what browser is being used - it only
inspects the HTML/CSS.

I haven't looked into this, but my *guess* is that one of two things is
happening:
- TinyMCE behaves differently on IE vs Firefox and produces different HTML
in each case (because of JavaScript engine differences, libraries often have
subtle differences in behavior across browsers)
- IE7/8 has some protected mode behavior that is blocking part of the
generated content

The best way I can think of to figure out which of these two could be
happening is to compare the input into AntiSamy (e.g. by adding a debug
statement with the HTML you're passing in to AntiSamy prior to invocation)
and comparing the two. If these are different, then TinyMCE is behaving
differently on IE vs Firefox. Likewise, checking the output generated by
AntiSamy (e.g. with a debug statement after AntiSamy's invocation) and if
the output is the same, then there is a browser behavior difference.

If the input just before AntiSamy invocation is the same, and the output of
AntiSamy right after invocation is different, then there's definitely a bug
in AntiSamy in which case it'd be great if you could submit a bug report
with test case examples so we can try to resolve the issue.

Thanks for your interest in the AntiSamy project!

-Jason

On Fri, Dec 10, 2010 at 9:37 AM, Avril Verhaeghen <
avril.verhaeghen at gmail.com> wrote:

> Hello
>
> I'm using Antisamy for a project using TinyMCE as text editor.
> Now all is running very well and the AntiSamy is filtering correctly, BUT
> we've got a strange bug and that is when we add anchor in the editor, save
> it using for example Firefox the anchor is saved, BUT when we do the same
> thing in IE8 or IE7 the anchor tag is filtered out.
>
> Is there a difference between browsers where Antisamy considers some tags
> different?
>
> Thanks!
> Regards,
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20101210/ea9d0094/attachment.html 


More information about the Owasp-antisamy mailing list