[owasp-antisamy] Is it possible to use AntiSamy and keep code in pre/code tags intact?
augustd at codemagi.com
Tue Sep 20 19:12:45 EDT 2011
You definitely do not want to allow someone to insert <script> tags! Even if
they are inside of <pre> tags they can still be executed by browsers.
If you want to allow people to post code samples on your site, what you
really need is to output encode those script tags. This will change them
from raw HTML tags into HTML entities that will display as code samples, but
Take a look at the ESAPI project for this functionality. You want something
//performing output encoding for the HTML context
String safeOutput = ESAPI.encoder().encodeForHTML( input );
On Tue, Sep 20, 2011 at 2:18 PM, Mohamad El-Husseini <husseini.mel at gmail.com
> Hi everyone!
> I want to use AntiSamy to allow users to post code snippets and other
> things. Is it possible to customize AntiSamy to allow script tags that are
> nested in code/pre tags?
> I want to use it in a similar capacity to StackOverFlow: they allow most
> basic HTML, including any tags found inside pre/code tags.
> AntiSamy strips such tags regardless. Is AntiSamy the right tool for what
> I'm trying to do? Andy advice would be appreciated.
> Thank you.
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-antisamy