[Owasp-antisamy] Configure the allowed empty tags
arshan.dabirsiaghi at aspectsecurity.com
Fri Jul 9 11:33:07 EDT 2010
Thanks, Paul. The failover behavior is exactly what I was looking for.
From: owasp-antisamy-bounces at lists.owasp.org on behalf of Paul Curren
Sent: Thu 7/8/2010 6:45 PM
To: owasp-antisamy at lists.owasp.org
Subject: Re: [Owasp-antisamy] Configure the allowed empty tags
attached is a patch to allow configuration of the acceptance of empty elements.
An extra attribute is accepted on a tag declaration in the policy e.g.
<tag name="p" action="validate" allowEmpty="true" />
If this attribute isn't supplied then for backwards compatibility the default set of empty tags are as specified in Constants.
In the DOM Scanner this has the same behaviour as the old Constants based mechanism. That is, if a tag is empty then it is removed. If a tag becomes empty as a result of validation on it's children then it won't be removed.
The SAX Scanner didn't yet replicate this behaviour so it now follows the behaviour of the DOM Scanner with respect to empty elements.
Let me know if you want changes, or have any other comments.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-antisamy