[Owasp-antisamy] Ampersand character in title attribute

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Mon Feb 22 18:39:49 EST 2010

Dave's right, but we should be able to accommodate this. Look for this in 1.4. By the way, if you're a Maven expert and want to help me deploy 1.4, please reach out! That's pretty much all I'm waiting for. =]


From: owasp-antisamy-bounces at lists.owasp.org on behalf of August Detlefsen
Sent: Mon 2/22/2010 6:21 PM
To: owasp-antisamy at lists.owasp.org
Subject: Re: [Owasp-antisamy] Ampersand character in title attribute

With the default regex, it does not matter whether the ampersand is encoded or not. "Full Q&A Session", "Full Q&A Session" and "Full Q&A Session" fail the AntiSamy check, but "Full QA Session" does not. This implies that any other encoded character will also fail, since the ampersand is used in all of them. 


On 2/22/10 1:45 PM, Dave Moore wrote: 

	i'm not a dev on the team, but the markup looks invalid, it should be & -- the text inside html attributes has to be escaped.
	On Mon, Feb 22, 2010 at 15:19, August Detlefsen <augustd at codemagi.com> wrote:

		AntiSamy is rejecting the ampersand character in the title attribute of
		an href. If my input is:
		<a href="/some/page" title="Full Q&A Session" />
		It rejects the tag due to the &.
		Do you know of any reason why that character should be banned from a
		title? It seems like it would be present a lot if you are encoding
		special characters...
		Is it safe to adjust the default regex for the title field to allow the
		August Detlefsen
		CEO/Web Application Architect
		CodeMagi, Inc.
		http://www.codemagi.com <http://www.codemagi.com/> 
		Owasp-antisamy mailing list
		Owasp-antisamy at lists.owasp.org

August Detlefsen
CEO/Web Application Architect
CodeMagi, Inc. 
http://www.codemagi.com <http://www.codemagi.com/> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20100222/e76c3d6f/attachment.html 

More information about the Owasp-antisamy mailing list