[owasp-antisamy] Help with ignoring invalid attribute name in HTML Tag

Chao Jiang Chao.Jiang at anu.edu.au
Mon Feb 28 17:48:28 EST 2011


Thank you Arshan, Jim and August.

 

Finally I got it working by adding POM dependency of NekoHTML version
1.9.14 in the POM File.

Because AntiSamy 1.4 will automaticly pickup NekoHTML 1.9.12, so I
haven't got the fix yet I guess.

 

Easy fix, thanks all.

Chao

 

 

 

From: Arshan Dabirsiaghi [mailto:arshan.dabirsiaghi at aspectsecurity.com] 
Sent: Tuesday, 1 March 2011 9:25 AM
To: augustd; Chao Jiang
Cc: owasp-antisamy at lists.owasp.org
Subject: RE: [owasp-antisamy] Help with ignoring invalid attribute name
in HTML Tag

 

I feel like a broken record, always blaming NekoHTML. Unfortunately,
this is an upstream bug with them I filed a few years ago [1]. I forked
a version of NekoHTML and patched it and made it available some time ago
(not sure where it is anymore, sorry). Try updating your Neko and
AntiSamy to a recent version and see if the behavior still occurs. 

 

Jim's suggestion to try SAX is a good one too - try that!

 

[1] http://sourceforge.net/mailarchive/message.php?msg_id=23374671

 

From: owasp-antisamy-bounces at lists.owasp.org
[mailto:owasp-antisamy-bounces at lists.owasp.org] On Behalf Of augustd
Sent: Monday, February 28, 2011 5:11 PM
To: Chao Jiang
Cc: owasp-antisamy at lists.owasp.org
Subject: Re: [owasp-antisamy] Help with ignoring invalid attribute name
in HTML Tag

 

Are you saying you need to support input with invalid attributes like
<img 3="">? What does the 3 attribute do? It is not valid as far as I
can tell. 

If so, what happens if you configure an <attribute name="3"> in your
policy file? 

Otherwise, just catch the exception and reject this as invalid input. 

-August

On Mon, Feb 28, 2011 at 1:41 PM, Chao Jiang <Chao.Jiang at anu.edu.au>
wrote:

I cannot try
AntiSamy.scan(String,policy,AntiSamy.SAX)

Because I am using version 1.4 which doesn't support the new static
method.

By the way I tried the dependency setting for POM file, it doesn't
work(cannot find the jar file), so is there a new version available in
Maven repository?
<dependency>
   <groupId>org.owasp.antisamy</groupId>
   <artifactId>antisamy-project</artifactId>
   <version>1.4.3</version>
</dependency>

Thanks a lot.
Chao

-----Original Message-----
From: Jim Manico [mailto:jim at manico.net]
Sent: Monday, 28 February 2011 5:23 PM
To: Chao Jiang
Cc: owasp-antisamy at lists.owasp.org
Subject: Re: [owasp-antisamy] Help with ignoring invalid attribute name
in HTML Tag

On 2/27/2011 7:54 PM, Chao Jiang wrote:
> An invalid or illegal XML character is specified

Instead of

instead of AntiSamy.scan(String, policy)

can you try

AntiSamy.scan(String,policy,AntiSamy.SAX)

instead?

This will default to SAX based XML parsing and should be a lot faster
(and may fix this issue).

- Jim
_______________________________________________
Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-antisamy

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20110301/cd37eef8/attachment.html 


More information about the Owasp-antisamy mailing list