[Owasp-antisamy] 'A' tag with no children

August Detlefsen augustd at codemagi.com
Fri Jan 8 19:00:10 EST 2010


Thanks Arshan,

I basically took the same approach and added "a" to the 
allowedEmptyTags. I am glad to hear that you added this to the next 
version.

I also added "area" to allow for image maps -Is there a vulnerability 
associated with these?

In looking at the source code that uses allowedEmptyTags, it seems to me 
that (at least in Java) using a HashSet would provide better lookup 
performance than iterating the array. It can be rewritten as:

     private static final HashSet<String> allowedEmptyTags = new 
HashSet<String>(19);
     static {
         //be sure to use lower case for tag names
         allowedEmptyTags.add("a");
         allowedEmptyTags.add("area");
         ...
     }

And in recursiveValidateTag:

boolean isEmptyAllowed = 
allowedEmptyTags.contains(node.getNodeName().toLowerCase());

I ran a quick test and using a HashSet is about 35% faster than using an 
array, even accounting for equalsIgnoreCase() vs toLowerCase().

Regards,
August


On 1/8/10 2:57 PM, Arshan Dabirsiaghi wrote:
> There is no associated vulnerability, and no way to change it without 
> recompilation. This whole mess was introduced because of the browser 
> bug (feature) associated with this issue:
> http://code.google.com/p/owaspantisamy/issues/detail?id=36
> I added "a" to the allowed-to-be-empty-list in svn so it will be in 
> the next version, which should be rolled out really, really soon.
> Arshan
>
> ------------------------------------------------------------------------
> *From:* owasp-antisamy-bounces at lists.owasp.org on behalf of August 
> Detlefsen
> *Sent:* Fri 1/8/2010 5:19 PM
> *To:* owasp-antisamy at lists.owasp.org
> *Subject:* [Owasp-antisamy] 'A' tag with no children
>
> I ran into this issue with AntiSamy:
>
> Within the HTML I was validating was an A tag being used as an in-page
> anchor:
>
> <a name="anchor"></a>
>
> And AntiSamy complains:
>
> The a tag was empty, and therefore we could not process it. The rest of
> the message is intact, and its removal should not have any side effects.
>
> I found the array containing the list of valid child-less tags (like
> IMG, HR, BR, etc) in AntiSamyDOMScanner.java, and it would be easy to
> add A there, but my question for you is:
>
> Is there a vulnerability associated with an empty A tag that is keeping
> it off that list? Is there some way to configure the allowed empty tags
> in the policy file, without recompiling the source code?
>
> Thanks,
> August
>
> --
> August Detlefsen
> CEO/Web Application Architect
> CodeMagi, Inc.
> http://www.codemagi.com <http://www.codemagi.com/>
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>

-- 
August Detlefsen
CEO/Web Application Architect
CodeMagi, Inc.
510-368-4489 tel
510-336-9434 fax
http://www.codemagi.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20100108/deeb1c78/attachment.html 


More information about the Owasp-antisamy mailing list