[Owasp-antisamy] Ampersand character in title attribute

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Mon Feb 22 18:39:49 EST 2010


Dave's right, but we should be able to accommodate this. Look for this in 1.4. By the way, if you're a Maven expert and want to help me deploy 1.4, please reach out! That's pretty much all I'm waiting for. =]
 
Arshan

________________________________

From: owasp-antisamy-bounces at lists.owasp.org on behalf of August Detlefsen
Sent: Mon 2/22/2010 6:21 PM
To: owasp-antisamy at lists.owasp.org
Subject: Re: [Owasp-antisamy] Ampersand character in title attribute


With the default regex, it does not matter whether the ampersand is encoded or not. "Full Q&A Session", "Full Q&A Session" and "Full Q&A Session" fail the AntiSamy check, but "Full QA Session" does not. This implies that any other encoded character will also fail, since the ampersand is used in all of them. 

-August 


On 2/22/10 1:45 PM, Dave Moore wrote: 

	i'm not a dev on the team, but the markup looks invalid, it should be & -- the text inside html attributes has to be escaped.
	
	-dave
	
	
	On Mon, Feb 22, 2010 at 15:19, August Detlefsen <augustd at codemagi.com> wrote:
	

		AntiSamy is rejecting the ampersand character in the title attribute of
		an href. If my input is:
		
		<a href="/some/page" title="Full Q&A Session" />
		
		It rejects the tag due to the &.
		
		Do you know of any reason why that character should be banned from a
		title? It seems like it would be present a lot if you are encoding
		special characters...
		
		Is it safe to adjust the default regex for the title field to allow the
		ampersand?
		
		Thanks,
		August
		
		--
		August Detlefsen
		CEO/Web Application Architect
		CodeMagi, Inc.
		http://www.codemagi.com <http://www.codemagi.com/> 
		
		_______________________________________________
		Owasp-antisamy mailing list
		Owasp-antisamy at lists.owasp.org
		https://lists.owasp.org/mailman/listinfo/owasp-antisamy
		



-- 
August Detlefsen
CEO/Web Application Architect
CodeMagi, Inc. 
http://www.codemagi.com <http://www.codemagi.com/> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20100222/e76c3d6f/attachment.html 


More information about the Owasp-antisamy mailing list