[Owasp-antisamy] 'A' tag with no children

August Detlefsen augustd at codemagi.com
Fri Jan 8 17:19:21 EST 2010


I ran into this issue with AntiSamy:

Within the HTML I was validating was an A tag being used as an in-page 
anchor:

<a name="anchor"></a>

And AntiSamy complains:

The a tag was empty, and therefore we could not process it. The rest of 
the message is intact, and its removal should not have any side effects.

I found the array containing the list of valid child-less tags (like 
IMG, HR, BR, etc) in AntiSamyDOMScanner.java, and it would be easy to 
add A there, but my question for you is:

Is there a vulnerability associated with an empty A tag that is keeping 
it off that list? Is there some way to configure the allowed empty tags 
in the policy file, without recompiling the source code?

Thanks,
August

-- 
August Detlefsen
CEO/Web Application Architect
CodeMagi, Inc.
http://www.codemagi.com



More information about the Owasp-antisamy mailing list