[Owasp-antisamy] 'A' tag with no children
Jim Manico
jim at manico.net
Fri Jan 8 20:58:33 EST 2010
August,
This is a stellar contribution, thank you!!!
Jim Manico
On Jan 8, 2010, at 2:00 PM, August Detlefsen <augustd at codemagi.com>
wrote:
> Thanks Arshan,
>
> I basically took the same approach and added "a" to the
> allowedEmptyTags. I am glad to hear that you added this to the next
> version.
>
> I also added "area" to allow for image maps -Is there a
> vulnerability associated with these?
>
> In looking at the source code that uses allowedEmptyTags, it seems
> to me that (at least in Java) using a HashSet would provide better
> lookup performance than iterating the array. It can be rewritten as:
>
> private static final HashSet<String> allowedEmptyTags = new
> HashSet<String>(19);
> static {
> //be sure to use lower case for tag names
> allowedEmptyTags.add("a");
> allowedEmptyTags.add("area");
> ...
> }
>
> And in recursiveValidateTag:
>
> boolean isEmptyAllowed = allowedEmptyTags.contains(node.getNodeName
> ().toLowerCase());
>
> I ran a quick test and using a HashSet is about 35% faster than
> using an array, even accounting for equalsIgnoreCase() vs toLowerCase
> ().
>
> Regards,
> August
>
>
> On 1/8/10 2:57 PM, Arshan Dabirsiaghi wrote:
>>
>> There is no associated vulnerability, and no way to change it
>> without recompilation. This whole mess was introduced because of
>> the browser bug (feature) associated with this issue:
>>
>> http://code.google.com/p/owaspantisamy/issues/detail?id=36
>>
>> I added "a" to the allowed-to-be-empty-list in svn so it will be in
>> the next version, which should be rolled out really, really soon.
>>
>> Arshan
>>
>> From: owasp-antisamy-bounces at lists.owasp.org on behalf of August
>> Detlefsen
>> Sent: Fri 1/8/2010 5:19 PM
>> To: owasp-antisamy at lists.owasp.org
>> Subject: [Owasp-antisamy] 'A' tag with no children
>>
>> I ran into this issue with AntiSamy:
>>
>> Within the HTML I was validating was an A tag being used as an in-
>> page
>> anchor:
>>
>> <a name="anchor"></a>
>>
>> And AntiSamy complains:
>>
>> The a tag was empty, and therefore we could not process it. The
>> rest of
>> the message is intact, and its removal should not have any side
>> effects.
>>
>> I found the array containing the list of valid child-less tags (like
>> IMG, HR, BR, etc) in AntiSamyDOMScanner.java, and it would be easy to
>> add A there, but my question for you is:
>>
>> Is there a vulnerability associated with an empty A tag that is
>> keeping
>> it off that list? Is there some way to configure the allowed empty
>> tags
>> in the policy file, without recompiling the source code?
>>
>> Thanks,
>> August
>>
>> --
>> August Detlefsen
>> CEO/Web Application Architect
>> CodeMagi, Inc.
>> http://www.codemagi.com
>>
>> _______________________________________________
>> Owasp-antisamy mailing list
>> Owasp-antisamy at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>
>
> --
> August Detlefsen
> CEO/Web Application Architect
> CodeMagi, Inc.
> 510-368-4489 tel
> 510-336-9434 fax
> http://www.codemagi.com
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20100108/8567858b/attachment-0001.html
More information about the Owasp-antisamy
mailing list