[Owasp-antisamy] Owasp-antisamy Digest, Vol 30, Issue 3

Vadim Lennikov vadim3333 at yahoo.com
Thu May 13 17:48:35 EDT 2010


I think most people are using this in place of something like AntiSamy.NET lib http://wpl.codeplex.com/releases/view/20333
Released by MS, very stable well tested and easy to use. As Arshan says AntiSamy.NET isn't maintained so I think it is at end of life usefulness.



________________________________
From: "owasp-antisamy-request at lists.owasp.org" <owasp-antisamy-request at lists.owasp.org>
To: owasp-antisamy at lists.owasp.org
Sent: Tue, May 4, 2010 12:00:08 PM
Subject: Owasp-antisamy Digest, Vol 30, Issue 3

Send Owasp-antisamy mailing list submissions to
    owasp-antisamy at lists.owasp.org

To subscribe or unsubscribe via the World Wide Web, visit
    https://lists.owasp.org/mailman/listinfo/owasp-antisamy
or, via email, send a message with subject or body 'help' to
    owasp-antisamy-request at lists.owasp.org

You can reach the person managing the list at
    owasp-antisamy-owner at lists.owasp.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Owasp-antisamy digest..."


Today's Topics:

   1. Re: antisamy .NET version -- inline css style    scanning
      (Arshan Dabirsiaghi)


----------------------------------------------------------------------

Message: 1
Date: Mon, 3 May 2010 13:33:17 -0400
From: "Arshan Dabirsiaghi" <arshan.dabirsiaghi at aspectsecurity.com>
Subject: Re: [Owasp-antisamy] antisamy .NET version -- inline css
    style    scanning
To: "Raheel Aidrus" <raidrus at yahoo.com>,
    <owasp-antisamy at lists.owasp.org>
Message-ID:
    <B9A412898630124ABE8350F4EBD32E84012F8550 at mymail.aspectsecurity.com>
Content-Type: text/plain;    charset="us-ascii"

I'm sorry to say that I don't know much about your problem. To be honest
I don't know if AntiSamy.NET is being supported by the author of the
port anymore. I have been very hands-off to the port in general.

I just want to make sure everyone's expectations are appropriate, that I
am -not- in charge of it and it probably needs some active developers to
stay alive and production ready. If you are willing to make that
commitment feel free to reach out to me. 

In the meantime, I suggest users use this list to help each other out
when they run into problems like the one you described.

Thanks,
Arshan

-----Original Message-----
From: owasp-antisamy-bounces at lists.owasp.org
[mailto:owasp-antisamy-bounces at lists.owasp.org] On Behalf Of Raheel
Aidrus
Sent: Sunday, May 02, 2010 11:26 PM
To: owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] antisamy .NET version -- inline css style
scanning

Hello,

I have a .NET web application that allows for html text to be entered by
users. We then use some of this text to generate pdf documents. Our goal
is to use antisamy .net to filter any font modification (face, size,
color) from the html they enter in order to make the pdf files we
generate to look consistent. 

Currently, I am not seeing inline css being validated property by
antisamy .net. 

Testing the following: 

<span style="text-decoration:underline">test</span>

Using the ebay policy file, this should come out untouched, but for some
reason the clean html that is returned is: 

<span style="">test</span>

Why is the text-decoration CSS property getting filtered out? The
property and the literal value "underline" is included in the ebay
policy file that is part of the .net source code I downloaded. I would
think only the CSS properties that are not included or commented out of
the CSS rules section of the policy file would be removed from inline
CSS, but this is not the case. Currently, it is behaving as if the CSS
rules section of the policy file is empty.

I poked around in the source code and it appears that the
isValidProperty function of the CSSValidator.cs isn't even being hit. I
believe that is where the inline CSS property validation would occur. Is
the inline-CSS validation in the AntiSamy .NET code available online
incomplete or something?

Any help would be appreciated.

Thanks,
Raheel Aidrus


      
_______________________________________________
Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-antisamy


------------------------------

_______________________________________________
Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-antisamy


End of Owasp-antisamy Digest, Vol 30, Issue 3
*********************************************



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20100513/011d10de/attachment.html 


More information about the Owasp-antisamy mailing list