[owasp-antisamy] Help with ignoring invalid attribute name in HTML Tag

augustd augustd at codemagi.com
Mon Feb 28 17:11:28 EST 2011


Are you saying you need to support input with invalid attributes like <img
3="">? What does the 3 attribute do? It is not valid as far as I can tell.

If so, what happens if you configure an <attribute name="3"> in your policy
file?

Otherwise, just catch the exception and reject this as invalid input.

-August


On Mon, Feb 28, 2011 at 1:41 PM, Chao Jiang <Chao.Jiang at anu.edu.au> wrote:

> I cannot try
> AntiSamy.scan(String,policy,AntiSamy.SAX)
>
> Because I am using version 1.4 which doesn't support the new static
> method.
>
> By the way I tried the dependency setting for POM file, it doesn't
> work(cannot find the jar file), so is there a new version available in
> Maven repository?
> <dependency>
>    <groupId>org.owasp.antisamy</groupId>
>    <artifactId>antisamy-project</artifactId>
>    <version>1.4.3</version>
> </dependency>
>
> Thanks a lot.
> Chao
>
> -----Original Message-----
> From: Jim Manico [mailto:jim at manico.net]
> Sent: Monday, 28 February 2011 5:23 PM
> To: Chao Jiang
> Cc: owasp-antisamy at lists.owasp.org
> Subject: Re: [owasp-antisamy] Help with ignoring invalid attribute name
> in HTML Tag
>
> On 2/27/2011 7:54 PM, Chao Jiang wrote:
> > An invalid or illegal XML character is specified
>
> Instead of
>
> instead of AntiSamy.scan(String, policy)
>
> can you try
>
> AntiSamy.scan(String,policy,AntiSamy.SAX)
>
> instead?
>
> This will default to SAX based XML parsing and should be a lot faster
> (and may fix this issue).
>
> - Jim
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20110228/11be685f/attachment.html 


More information about the Owasp-antisamy mailing list