[owasp-antisamy] Is it possible to use AntiSamy and keep code in pre/code tags intact?
husseini.mel at gmail.com
Wed Sep 21 13:36:27 EDT 2011
Thank you all. After doing some research on this I realized my approach is
I want to allow my users to type whatever they want. What I need is an HTML
encoder that will encode everything apart from some designated tags, like
<b>, <a>, and <i>. In other words, I need the AntiSamy equivalent for
encoding, not sanitizing.
I am not aware of something like that, but I'm inclined to think there is.
If anyone aware of something, please share.
On Wed, Sep 21, 2011 at 12:24 AM, Jason Li <jason.li at owasp.org> wrote:
> One way that you could potentially make this behavior is to leverage the
> "onUnknownTag" directive.
> Using this directive, if a tag is not known (i.e. not explicitly in the
> policy file), it will HTML-encode the tag.
> You could remove the script tag from the policy file, hypothetically
> causing such "unknown" tags to be encoded rather than removed.
> Note that I'm not certain off the top of my head if the new current release
> still supports this directive or if this strategy would work safely and
> accomplish your goal.
> On Tue, Sep 20, 2011 at 4:18 PM, Mohamad El-Husseini <
> husseini.mel at gmail.com> wrote:
>> Hi everyone!
>> I want to use AntiSamy to allow users to post code snippets and other
>> things. Is it possible to customize AntiSamy to allow script tags that are
>> nested in code/pre tags?
>> I want to use it in a similar capacity to StackOverFlow: they allow most
>> basic HTML, including any tags found inside pre/code tags.
>> AntiSamy strips such tags regardless. Is AntiSamy the right tool for what
>> I'm trying to do? Andy advice would be appreciated.
>> Thank you.
>> Owasp-antisamy mailing list
>> Owasp-antisamy at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-antisamy