[owasp-antisamy] Help with ignoring invalid attribute name in HTML Tag

• Previous message: [owasp-antisamy] Help with ignoring invalid attribute name in HTML Tag
• Next message: [owasp-antisamy] Help with ignoring invalid attribute name in HTML Tag
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks August, you are right, we had portlet which retrieves email, we
use AntiSamy to filter out script, etc.

 

There is one email which contains invalid attribute which makes AntiSamy
throw exception.

 

What I am looking for is configuring AntiSamy to ignore the invalid, so
only configuring <attribute name="3"> is too specific .

 

We might catch the exception and redirect user to error page at the
moment.

 

Chao

 

From: augustd [mailto:augustd at codemagi.com] 
Sent: Tuesday, 1 March 2011 9:11 AM
To: Chao Jiang
Cc: Jim Manico; owasp-antisamy at lists.owasp.org
Subject: Re: [owasp-antisamy] Help with ignoring invalid attribute name
in HTML Tag

 

Are you saying you need to support input with invalid attributes like
<img 3="">? What does the 3 attribute do? It is not valid as far as I
can tell. 

If so, what happens if you configure an <attribute name="3"> in your
policy file? 

Otherwise, just catch the exception and reject this as invalid input. 

-August



On Mon, Feb 28, 2011 at 1:41 PM, Chao Jiang <Chao.Jiang at anu.edu.au>
wrote:

I cannot try
AntiSamy.scan(String,policy,AntiSamy.SAX)

Because I am using version 1.4 which doesn't support the new static
method.

By the way I tried the dependency setting for POM file, it doesn't
work(cannot find the jar file), so is there a new version available in
Maven repository?
<dependency>
   <groupId>org.owasp.antisamy</groupId>
   <artifactId>antisamy-project</artifactId>
   <version>1.4.3</version>
</dependency>

Thanks a lot.
Chao

-----Original Message-----
From: Jim Manico [mailto:jim at manico.net]
Sent: Monday, 28 February 2011 5:23 PM
To: Chao Jiang
Cc: owasp-antisamy at lists.owasp.org
Subject: Re: [owasp-antisamy] Help with ignoring invalid attribute name
in HTML Tag

On 2/27/2011 7:54 PM, Chao Jiang wrote:
> An invalid or illegal XML character is specified

Instead of

instead of AntiSamy.scan(String, policy)

can you try

AntiSamy.scan(String,policy,AntiSamy.SAX)

instead?

This will default to SAX based XML parsing and should be a lot faster
(and may fix this issue).

- Jim
_______________________________________________
Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-antisamy

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20110301/4f800e91/attachment.html 

• Previous message: [owasp-antisamy] Help with ignoring invalid attribute name in HTML Tag
• Next message: [owasp-antisamy] Help with ignoring invalid attribute name in HTML Tag
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]