[owasp-antisamy] onsiteURL question

Carlos Aguayo carlos.aguayo at gmail.com
Tue Aug 30 11:57:58 EDT 2011


I'd like to generate URLs that have colons (:) on it, example:

<a href="#entry:1234">myEntry</a>

The above gets currently filtered by the
"onsiteURL<http://code.google.com/p/owaspantisamy/downloads/detail?name=antisamy-ebay-1.4.4.xml>"
because it doesn't have a colon on the regex. The regex for the ebay policy
reads:

<regexp name="onsiteURL"
value="([\p{L}\p{N}\\\.\#@\$%\+&amp;;\-_~,\?=/!]+|\#(\w)+)"/>

If I add the colon on it works and then my use case is allowed,

<regexp name="onsiteURL" value="([\p{L}\p{N}\\\.\#@\$%\+&amp;;*:*
\-_~,\?=/!]+|\#(\w)+)"/>

The scenario that we thought would be the reason to disallow a colon on it
would be for someone to try to inject JavaScript on it, example:

<a href="javascript:xss()">xss</a>

However that case is still filtered.

So the question is, does anyone know if it could become unsafe to have the
colon in the onsiteURL property?

Thanks!
Carlos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20110830/d50929a2/attachment.html 


More information about the Owasp-antisamy mailing list