[Owasp-antisamy] 'A' tag with no children

Jim Manico jim at manico.net
Fri Jan 8 20:58:33 EST 2010


August,

This is a stellar contribution, thank you!!!

Jim Manico

On Jan 8, 2010, at 2:00 PM, August Detlefsen <augustd at codemagi.com>  
wrote:

> Thanks Arshan,
>
> I basically took the same approach and added "a" to the  
> allowedEmptyTags. I am glad to hear that you added this to the next  
> version.
>
> I also added "area" to allow for image maps -Is there a  
> vulnerability associated with these?
>
> In looking at the source code that uses allowedEmptyTags, it seems  
> to me that (at least in Java) using a HashSet would provide better  
> lookup performance than iterating the array. It can be rewritten as:
>
>     private static final HashSet<String> allowedEmptyTags = new  
> HashSet<String>(19);
>     static {
>         //be sure to use lower case for tag names
>         allowedEmptyTags.add("a");
>         allowedEmptyTags.add("area");
>         ...
>     }
>
> And in recursiveValidateTag:
>
> boolean isEmptyAllowed = allowedEmptyTags.contains(node.getNodeName 
> ().toLowerCase());
>
> I ran a quick test and using a HashSet is about 35% faster than  
> using an array, even accounting for equalsIgnoreCase() vs toLowerCase 
> ().
>
> Regards,
> August
>
>
> On 1/8/10 2:57 PM, Arshan Dabirsiaghi wrote:
>>
>> There is no associated vulnerability, and no way to change it  
>> without recompilation. This whole mess was introduced because of  
>> the browser bug (feature) associated with this issue:
>>
>> http://code.google.com/p/owaspantisamy/issues/detail?id=36
>>
>> I added "a" to the allowed-to-be-empty-list in svn so it will be in  
>> the next version, which should be rolled out really, really soon.
>>
>> Arshan
>>
>> From: owasp-antisamy-bounces at lists.owasp.org on behalf of August  
>> Detlefsen
>> Sent: Fri 1/8/2010 5:19 PM
>> To: owasp-antisamy at lists.owasp.org
>> Subject: [Owasp-antisamy] 'A' tag with no children
>>
>> I ran into this issue with AntiSamy:
>>
>> Within the HTML I was validating was an A tag being used as an in- 
>> page
>> anchor:
>>
>> <a name="anchor"></a>
>>
>> And AntiSamy complains:
>>
>> The a tag was empty, and therefore we could not process it. The  
>> rest of
>> the message is intact, and its removal should not have any side  
>> effects.
>>
>> I found the array containing the list of valid child-less tags (like
>> IMG, HR, BR, etc) in AntiSamyDOMScanner.java, and it would be easy to
>> add A there, but my question for you is:
>>
>> Is there a vulnerability associated with an empty A tag that is  
>> keeping
>> it off that list? Is there some way to configure the allowed empty  
>> tags
>> in the policy file, without recompiling the source code?
>>
>> Thanks,
>> August
>>
>> --
>> August Detlefsen
>> CEO/Web Application Architect
>> CodeMagi, Inc.
>> http://www.codemagi.com
>>
>> _______________________________________________
>> Owasp-antisamy mailing list
>> Owasp-antisamy at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>
>
> -- 
> August Detlefsen
> CEO/Web Application Architect
> CodeMagi, Inc.
> 510-368-4489 tel
> 510-336-9434 fax
> http://www.codemagi.com
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20100108/8567858b/attachment-0001.html 


More information about the Owasp-antisamy mailing list