[owasp-antisamy] Is it possible to use AntiSamy and keep code in pre/code tags intact?

augustd augustd at codemagi.com
Tue Sep 20 19:12:45 EDT 2011

You definitely do not want to allow someone to insert <script> tags! Even if
they are inside of <pre> tags they can still be executed by browsers.

If you want to allow people to post code samples on your site, what you
really need is to output encode those script tags. This will change them
from raw HTML tags into HTML entities that will display as code samples, but
not execute.

Take a look at the ESAPI project for this functionality. You want something
like this:

//performing output encoding for the HTML context
String safeOutput = ESAPI.encoder().encodeForHTML( input );


On Tue, Sep 20, 2011 at 2:18 PM, Mohamad El-Husseini <husseini.mel at gmail.com
> wrote:

> Hi everyone!
> I want to use AntiSamy to allow users to post code snippets and other
> things. Is it possible to customize AntiSamy to allow script tags that are
> nested in code/pre tags?
> I want to use it in a similar capacity to StackOverFlow: they allow most
> basic HTML, including any tags found inside pre/code tags.
> AntiSamy strips such tags regardless. Is AntiSamy the right tool for what
> I'm trying to do? Andy advice would be appreciated.
> Thank you.
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20110920/77243edd/attachment.html 

More information about the Owasp-antisamy mailing list