[owasp-antisamy] Empty tags and validation

Erlend Oftedal eoftedal at gmail.com
Mon Sep 12 06:52:02 EDT 2011


Hi

I'm trying to use AntiSamy to validate that only allowed tags are present in
a given html. I want to reject the HTML if any tags that I don't allow are
present.
Looking at the current API, I find this a bit difficult to do.
If I base the policy upon the myspace policy, and try to scan something with
an empty style-tag, I get an error "The style tag was empty, and therefore
we could not process it. The rest of the message is intact, and its removal
should not have any side effects.
If I set html and body to validate and then try to scan something like
<html><body>Hello</body></html>, I get an error saying "The head tag was
empty, and therefore we could not process it. The rest of the message is
intact, and its removal should not have any side effects."

For the first case, I can understand why the message is in the error list.
For the second one, it's complaining about a tag that isn't even there....

I would prefer if there was a way to separate between warnings and errors.
The two empty tag messages sound like warnings, not errors, to me. But maybe
the API isn't supposed to be used like this?

And one more question:
Are there any problems associated with allowing <html>, <head> and <body>
tags, or does AntiSamy handle things like a meta tag in the head changing
charset etc.?


Best regards
Erlend Oftedal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20110912/dc30d2cc/attachment.html 


More information about the Owasp-antisamy mailing list