[Owasp-antisamy] Configure the allowed empty tags

Paul Curren pcurren at atlassian.com
Thu Jul 8 18:45:09 EDT 2010


Hi again,

attached is a patch to allow configuration of the acceptance of empty elements.

An extra attribute is accepted on a tag declaration in the policy e.g.
    <tag-rules>
        <tag name="p" action="validate" allowEmpty="true" />
    </tag-rules>

If this attribute isn't supplied then for backwards compatibility the default set of empty tags are as specified in Constants.

In the DOM Scanner this has the same behaviour as the old Constants based mechanism. That is, if a tag is empty then it is removed. If a tag becomes empty as a result of validation on it's children then it won't be removed. 

The SAX Scanner didn't yet replicate this behaviour so it now follows the behaviour of the DOM Scanner with respect to empty elements.

Let me know if you want changes, or have any other comments.

Cheers,

Paul C


-------------- next part --------------
A non-text attachment was scrubbed...
Name: antisamy-empty-elements-in-policy-for-1.4.1.patch
Type: application/octet-stream
Size: 22972 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20100708/9d1f9c96/attachment-0001.obj 
-------------- next part --------------



On 08/07/2010, at 1:30 PM, Arshan Dabirsiaghi wrote:

> Sure. If you can, try to make it work in both the SAX scanner and DOM scanner. That will speed up acceptance of the patch.
>  
> Arshan
> 
> From: owasp-antisamy-bounces at lists.owasp.org on behalf of Paul Curren
> Sent: Thu 7/8/2010 6:38 AM
> To: owasp-antisamy at lists.owasp.org
> Subject: [Owasp-antisamy] Configure the allowed empty tags
> 
> Hi there.
> 
> I have a slightly customised XHTML content that I want to protect with AntiSamy. I have few new tags for representing certain things and some of these are empty tags. Right now only the list of tags in Constants.allowedEmptyTags are preserved if empty.
> 
> What are your thoughts about making this list configurable? Perhaps in the policy file?
> 
> If that sounds like a reasonable idea to you, would the AntiSamy project accept a patch from me? :-)
> 
> Cheers,
> 
> Paul C
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
> 



More information about the Owasp-antisamy mailing list