[owasp-antisamy] Is it possible to use AntiSamy and keep code in pre/code tags intact?

Jason Li jason.li at owasp.org
Wed Sep 21 15:38:47 EDT 2011


Mohamad,

The onUnknownTag directive is documented here:
http://code.google.com/p/owaspantisamy/downloads/detail?name=Developer%20Guide.pdf
but
as you pointed out, it's not listed on the wiki.

I'm not sure if that's because the wiki is out of date or because the
directive was removed from future releases.

-Jason

On Wed, Sep 21, 2011 at 2:31 PM, Mohamad El-Husseini <husseini.mel at gmail.com
> wrote:

> Hi Jason,
>
> Looking at the documentation, it seems that the onUnknownTag directive is
> not listed. I have not tested yet, but I will try.
>
> https://www.owasp.org/index.php/AntiSamy_Directives
>
> Is there no HTML encoder with a whitelist feature? I'm tempted to just go
> ahead and encode everything. This way I can make all HTML input safe, The
> only HTML allowed is what comes back from the markdown to HTML parser, which
> will run after the encoder. This would break a requirement, but it's
> probably the best I can do for now outside of testing your suggestion.
>
> Thanks,
> Mohamad
>
>
> On Wed, Sep 21, 2011 at 1:19 PM, Jason Li <jason.li at owasp.org> wrote:
>
>> I *think* the approach I outlined can potentially accomplish this idea.
>>
>> My recollection is that with the onUnknownTag, anything not in the policy
>> file will be encoded.
>>
>> Hence, you can fill the policy file with *just* the designated tags you
>> want (e.g. <b>, <a>. <i>, etc) and everything else will be encoded if you
>> specify the onUnknownTag directive.
>>
>> -Jason
>>
>> On Wed, Sep 21, 2011 at 12:36 PM, Mohamad El-Husseini <
>> husseini.mel at gmail.com> wrote:
>>
>>> Thank you all. After doing some research on this I realized my approach
>>> is wrong.
>>>
>>> I want to allow my users to type whatever they want. What I need is an
>>> HTML encoder that will encode everything apart from some designated tags,
>>> like <b>, <a>, and <i>.  In other words, I need the AntiSamy equivalent for
>>> encoding, not sanitizing.
>>>
>>> I am not aware of something like that, but I'm inclined to think there
>>> is. If anyone aware of something, please share.
>>>
>>> Many thanks.
>>>
>>>
>>> On Wed, Sep 21, 2011 at 12:24 AM, Jason Li <jason.li at owasp.org> wrote:
>>>
>>>> Mohamad,
>>>>
>>>> One way that you could potentially make this behavior is to leverage the
>>>> "onUnknownTag" directive.
>>>>
>>>> Using this directive, if a tag is not known (i.e. not explicitly in the
>>>> policy file), it will HTML-encode the tag.
>>>>
>>>> You could remove the script tag from the policy file, hypothetically
>>>> causing such "unknown" tags to be encoded rather than removed.
>>>>
>>>> Note that I'm not certain off the top of my head if the new current
>>>> release still supports this directive or if this strategy would work safely
>>>> and accomplish your goal.
>>>>
>>>> -Jason
>>>>
>>>> On Tue, Sep 20, 2011 at 4:18 PM, Mohamad El-Husseini <
>>>> husseini.mel at gmail.com> wrote:
>>>>
>>>>> Hi everyone!
>>>>>
>>>>> I want to use AntiSamy to allow users to post code snippets and other
>>>>> things. Is it possible to customize AntiSamy to allow script tags that are
>>>>> nested in code/pre tags?
>>>>>
>>>>> I want to use it in a similar capacity to StackOverFlow: they allow
>>>>> most basic HTML, including any tags found inside pre/code tags.
>>>>>
>>>>> AntiSamy strips such tags regardless. Is AntiSamy the right tool for
>>>>> what I'm trying to do? Andy advice would be appreciated.
>>>>>
>>>>> Thank you.
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-antisamy mailing list
>>>>> Owasp-antisamy at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20110921/5fb40faa/attachment.html 


More information about the Owasp-antisamy mailing list