[Owasp-antisamy] how to add rules for valid tags?

Giriraj Bhojak giriraj2k at gmail.com
Thu Jul 22 02:43:13 EDT 2010


I had a case where an html looked like::
<?garbage style="width:expression(alert('XSS'))"?>

The antisamy scanner passed it without throwing any error.
Of course it did eliminate the complete tag from clean html.

But when i removed '?' from the tag <garbage
style="width:expression(alert('XSS'))">, it did throw the error.

But i want antisamy to throw the error even in the first case.
Is there something i can mention in policy file that a tag name cannot
contain anything apart from alphanumeric characters?

Regards,
Giriraj.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20100722/1b7de164/attachment.html 


More information about the Owasp-antisamy mailing list