[Owasp-antisamy] 'A' tag with no children
augustd at codemagi.com
Fri Jan 8 17:19:21 EST 2010
I ran into this issue with AntiSamy:
Within the HTML I was validating was an A tag being used as an in-page
And AntiSamy complains:
The a tag was empty, and therefore we could not process it. The rest of
the message is intact, and its removal should not have any side effects.
I found the array containing the list of valid child-less tags (like
IMG, HR, BR, etc) in AntiSamyDOMScanner.java, and it would be easy to
add A there, but my question for you is:
Is there a vulnerability associated with an empty A tag that is keeping
it off that list? Is there some way to configure the allowed empty tags
in the policy file, without recompiling the source code?
CEO/Web Application Architect
More information about the Owasp-antisamy