[Owasp-antisamy] 'A' tag with no children

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Fri Jan 8 17:57:24 EST 2010


There is no associated vulnerability, and no way to change it without recompilation. This whole mess was introduced because of the browser bug (feature) associated with this issue:
 
http://code.google.com/p/owaspantisamy/issues/detail?id=36
 
I added "a" to the allowed-to-be-empty-list in svn so it will be in the next version, which should be rolled out really, really soon.
 
Arshan

________________________________

From: owasp-antisamy-bounces at lists.owasp.org on behalf of August Detlefsen
Sent: Fri 1/8/2010 5:19 PM
To: owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] 'A' tag with no children



I ran into this issue with AntiSamy:

Within the HTML I was validating was an A tag being used as an in-page
anchor:

<a name="anchor"></a>

And AntiSamy complains:

The a tag was empty, and therefore we could not process it. The rest of
the message is intact, and its removal should not have any side effects.

I found the array containing the list of valid child-less tags (like
IMG, HR, BR, etc) in AntiSamyDOMScanner.java, and it would be easy to
add A there, but my question for you is:

Is there a vulnerability associated with an empty A tag that is keeping
it off that list? Is there some way to configure the allowed empty tags
in the policy file, without recompiling the source code?

Thanks,
August

--
August Detlefsen
CEO/Web Application Architect
CodeMagi, Inc.
http://www.codemagi.com <http://www.codemagi.com/> 

_______________________________________________
Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-antisamy


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20100108/6e34920a/attachment.html 


More information about the Owasp-antisamy mailing list