[owasp-antisamy] Help with ignoring invalid attribute name in HTML Tag

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Mon Feb 28 17:25:00 EST 2011


I feel like a broken record, always blaming NekoHTML. Unfortunately,
this is an upstream bug with them I filed a few years ago [1]. I forked
a version of NekoHTML and patched it and made it available some time ago
(not sure where it is anymore, sorry). Try updating your Neko and
AntiSamy to a recent version and see if the behavior still occurs. 

 

Jim's suggestion to try SAX is a good one too - try that!

 

[1] http://sourceforge.net/mailarchive/message.php?msg_id=23374671

 

From: owasp-antisamy-bounces at lists.owasp.org
[mailto:owasp-antisamy-bounces at lists.owasp.org] On Behalf Of augustd
Sent: Monday, February 28, 2011 5:11 PM
To: Chao Jiang
Cc: owasp-antisamy at lists.owasp.org
Subject: Re: [owasp-antisamy] Help with ignoring invalid attribute name
in HTML Tag

 

Are you saying you need to support input with invalid attributes like
<img 3="">? What does the 3 attribute do? It is not valid as far as I
can tell. 

If so, what happens if you configure an <attribute name="3"> in your
policy file? 

Otherwise, just catch the exception and reject this as invalid input. 

-August



On Mon, Feb 28, 2011 at 1:41 PM, Chao Jiang <Chao.Jiang at anu.edu.au>
wrote:

I cannot try
AntiSamy.scan(String,policy,AntiSamy.SAX)

Because I am using version 1.4 which doesn't support the new static
method.

By the way I tried the dependency setting for POM file, it doesn't
work(cannot find the jar file), so is there a new version available in
Maven repository?
<dependency>
   <groupId>org.owasp.antisamy</groupId>
   <artifactId>antisamy-project</artifactId>
   <version>1.4.3</version>
</dependency>

Thanks a lot.
Chao

-----Original Message-----
From: Jim Manico [mailto:jim at manico.net]
Sent: Monday, 28 February 2011 5:23 PM
To: Chao Jiang
Cc: owasp-antisamy at lists.owasp.org
Subject: Re: [owasp-antisamy] Help with ignoring invalid attribute name
in HTML Tag

On 2/27/2011 7:54 PM, Chao Jiang wrote:
> An invalid or illegal XML character is specified

Instead of

instead of AntiSamy.scan(String, policy)

can you try

AntiSamy.scan(String,policy,AntiSamy.SAX)

instead?

This will default to SAX based XML parsing and should be a lot faster
(and may fix this issue).

- Jim
_______________________________________________
Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-antisamy

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20110228/550a107c/attachment-0001.html 


More information about the Owasp-antisamy mailing list