[owasp-antisamy] Is it possible to use AntiSamy and keep code in pre/code tags intact?

Mohamad El-Husseini husseini.mel at gmail.com
Wed Sep 21 13:36:27 EDT 2011


Thank you all. After doing some research on this I realized my approach is
wrong.

I want to allow my users to type whatever they want. What I need is an HTML
encoder that will encode everything apart from some designated tags, like
<b>, <a>, and <i>.  In other words, I need the AntiSamy equivalent for
encoding, not sanitizing.

I am not aware of something like that, but I'm inclined to think there is.
If anyone aware of something, please share.

Many thanks.

On Wed, Sep 21, 2011 at 12:24 AM, Jason Li <jason.li at owasp.org> wrote:

> Mohamad,
>
> One way that you could potentially make this behavior is to leverage the
> "onUnknownTag" directive.
>
> Using this directive, if a tag is not known (i.e. not explicitly in the
> policy file), it will HTML-encode the tag.
>
> You could remove the script tag from the policy file, hypothetically
> causing such "unknown" tags to be encoded rather than removed.
>
> Note that I'm not certain off the top of my head if the new current release
> still supports this directive or if this strategy would work safely and
> accomplish your goal.
>
> -Jason
>
> On Tue, Sep 20, 2011 at 4:18 PM, Mohamad El-Husseini <
> husseini.mel at gmail.com> wrote:
>
>> Hi everyone!
>>
>> I want to use AntiSamy to allow users to post code snippets and other
>> things. Is it possible to customize AntiSamy to allow script tags that are
>> nested in code/pre tags?
>>
>> I want to use it in a similar capacity to StackOverFlow: they allow most
>> basic HTML, including any tags found inside pre/code tags.
>>
>> AntiSamy strips such tags regardless. Is AntiSamy the right tool for what
>> I'm trying to do? Andy advice would be appreciated.
>>
>> Thank you.
>>
>> _______________________________________________
>> Owasp-antisamy mailing list
>> Owasp-antisamy at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20110921/694ad8f5/attachment.html 


More information about the Owasp-antisamy mailing list