[Owasp-antisamy] 'A' tag with no children

August Detlefsen augustd at codemagi.com
Fri Jan 8 17:19:21 EST 2010

I ran into this issue with AntiSamy:

Within the HTML I was validating was an A tag being used as an in-page 

<a name="anchor"></a>

And AntiSamy complains:

The a tag was empty, and therefore we could not process it. The rest of 
the message is intact, and its removal should not have any side effects.

I found the array containing the list of valid child-less tags (like 
IMG, HR, BR, etc) in AntiSamyDOMScanner.java, and it would be easy to 
add A there, but my question for you is:

Is there a vulnerability associated with an empty A tag that is keeping 
it off that list? Is there some way to configure the allowed empty tags 
in the policy file, without recompiling the source code?


August Detlefsen
CEO/Web Application Architect
CodeMagi, Inc.

More information about the Owasp-antisamy mailing list