[owasp-antisamy] Empty tags like iframe, textarea - how to preserve them

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Fri Dec 9 15:15:50 UTC 2011

Yep, I just confirmed that we broke this. I am fixing but would like a nice default set of tags that should never be self-closed. I plan on making this changeable in the policy, but at the first least I'm guessing it includes iframe, script and link. Any others come to mind? The spec isn't really clear on this.


-----Original Message-----
From: Ondřej Světlík [mailto:ondrej at svetlik.info] 
Sent: Thursday, December 08, 2011 1:43 PM
To: Arshan Dabirsiaghi
Subject: Re: [owasp-antisamy] Empty tags like iframe,textarea - how to preserve them

Dne 8.6.2011 04:38, Arshan Dabirsiaghi napsal(a):
> Per my earlier message I cranked out the changes again - if you build 
> against HEAD (which is 1.4.5-SNAPSHOT) you will find 
> the<allowed-empty-tags>  element patch was integrated. Incidentally it 
> also makes SAX the default parser and a few other little things.
> Can you test HEAD for us before we do another release?
> Arshan

Hello there,

I'm back with my allow-empty-tags problem. I'm using 1.4.5 right now and no matter what parser I use (SAX or DOM), it always converts <iframe></iframe> to <iframe />.

Did I miss something? When we discussed this in June, 1.4.5-SNAPSHOT did well at least with the SAX parser.

My setup remains the same like it was a few months ago, I'm ready to investigate.



More information about the Owasp-antisamy mailing list