[owasp-antisamy] Is it possible to use AntiSamy and keep code in pre/code tags intact?

Jason Li jason.li at owasp.org
Wed Sep 21 14:19:09 EDT 2011


I *think* the approach I outlined can potentially accomplish this idea.

My recollection is that with the onUnknownTag, anything not in the policy
file will be encoded.

Hence, you can fill the policy file with *just* the designated tags you want
(e.g. <b>, <a>. <i>, etc) and everything else will be encoded if you specify
the onUnknownTag directive.

-Jason

On Wed, Sep 21, 2011 at 12:36 PM, Mohamad El-Husseini <
husseini.mel at gmail.com> wrote:

> Thank you all. After doing some research on this I realized my approach is
> wrong.
>
> I want to allow my users to type whatever they want. What I need is an HTML
> encoder that will encode everything apart from some designated tags, like
> <b>, <a>, and <i>.  In other words, I need the AntiSamy equivalent for
> encoding, not sanitizing.
>
> I am not aware of something like that, but I'm inclined to think there is.
> If anyone aware of something, please share.
>
> Many thanks.
>
>
> On Wed, Sep 21, 2011 at 12:24 AM, Jason Li <jason.li at owasp.org> wrote:
>
>> Mohamad,
>>
>> One way that you could potentially make this behavior is to leverage the
>> "onUnknownTag" directive.
>>
>> Using this directive, if a tag is not known (i.e. not explicitly in the
>> policy file), it will HTML-encode the tag.
>>
>> You could remove the script tag from the policy file, hypothetically
>> causing such "unknown" tags to be encoded rather than removed.
>>
>> Note that I'm not certain off the top of my head if the new current
>> release still supports this directive or if this strategy would work safely
>> and accomplish your goal.
>>
>> -Jason
>>
>> On Tue, Sep 20, 2011 at 4:18 PM, Mohamad El-Husseini <
>> husseini.mel at gmail.com> wrote:
>>
>>> Hi everyone!
>>>
>>> I want to use AntiSamy to allow users to post code snippets and other
>>> things. Is it possible to customize AntiSamy to allow script tags that are
>>> nested in code/pre tags?
>>>
>>> I want to use it in a similar capacity to StackOverFlow: they allow most
>>> basic HTML, including any tags found inside pre/code tags.
>>>
>>> AntiSamy strips such tags regardless. Is AntiSamy the right tool for what
>>> I'm trying to do? Andy advice would be appreciated.
>>>
>>> Thank you.
>>>
>>> _______________________________________________
>>> Owasp-antisamy mailing list
>>> Owasp-antisamy at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20110921/a25f03e0/attachment.html 


More information about the Owasp-antisamy mailing list