[Owasp-antisamy] Configure the allowed empty tags

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Fri Jul 9 11:33:07 EDT 2010


Thanks, Paul. The failover behavior is exactly what I was looking for.

Arshan

-----Original Message-----
From: owasp-antisamy-bounces at lists.owasp.org on behalf of Paul Curren
Sent: Thu 7/8/2010 6:45 PM
To: owasp-antisamy at lists.owasp.org
Subject: Re: [Owasp-antisamy] Configure the allowed empty tags
 
Hi again,

attached is a patch to allow configuration of the acceptance of empty elements.

An extra attribute is accepted on a tag declaration in the policy e.g.
    <tag-rules>
        <tag name="p" action="validate" allowEmpty="true" />
    </tag-rules>

If this attribute isn't supplied then for backwards compatibility the default set of empty tags are as specified in Constants.

In the DOM Scanner this has the same behaviour as the old Constants based mechanism. That is, if a tag is empty then it is removed. If a tag becomes empty as a result of validation on it's children then it won't be removed. 

The SAX Scanner didn't yet replicate this behaviour so it now follows the behaviour of the DOM Scanner with respect to empty elements.

Let me know if you want changes, or have any other comments.

Cheers,

Paul C



-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20100709/d0196d9e/attachment.html 


More information about the Owasp-antisamy mailing list