[owasp-antisamy] UTF-16 multilingual plane characters being stripped

Paul Curren pcurren at atlassian.com
Tue Aug 16 07:09:14 EDT 2011


I've run into a problem in AntisamyDOMScanner#stripNonValidCharacters:

return in.replaceAll("[\\u0000-\\u001F\\uD800-\\uDFFF\\uFFFE-\\uFFFF&&[^\\u0009\\u000A\\u000D]]", "");

This method will corrupt 2 character code points in the 'in' string.

So the most obvious fix that comes to my mind is to just not perform this operation. I'm wondering what are the reasons for the introduction of this method in the first place? What is my risk by not applying it?

I see no direct equivalent in the SAX scanner but I can't easily test it due to a number of customisations we rely on in our DOM Scanner implementation.

Cheers,

Paul C

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20110816/3c13befb/attachment.html 


More information about the Owasp-antisamy mailing list