[Owasp-antisamy] how to add rules for valid tags?
giriraj2k at gmail.com
Thu Jul 22 02:43:13 EDT 2010
I had a case where an html looked like::
The antisamy scanner passed it without throwing any error.
Of course it did eliminate the complete tag from clean html.
But when i removed '?' from the tag <garbage
style="width:expression(alert('XSS'))">, it did throw the error.
But i want antisamy to throw the error even in the first case.
Is there something i can mention in policy file that a tag name cannot
contain anything apart from alphanumeric characters?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-antisamy