[owasp-antisamy] Is it possible to use AntiSamy and keep code in pre/code tags intact?
augustd at codemagi.com
Wed Sep 21 18:02:06 EDT 2011
If you have set AntiSamy to encode everything but <b>, <a>. <i>, etc, what
happens if a user posts a code snippet that includes a <b> tag for example?
It will not be properly encoded inside the code snippet, instead, you will
get bolded code!
<p>code code *bold code* code code code</p>
What would really be needed to accomplish this would be a new AntiSamy *
<tag name="pre" action="encodeContents"/>
On Wed, Sep 21, 2011 at 11:19 AM, Jason Li <jason.li at owasp.org> wrote:
> I *think* the approach I outlined can potentially accomplish this idea.
> My recollection is that with the onUnknownTag, anything not in the policy
> file will be encoded.
> Hence, you can fill the policy file with *just* the designated tags you
> want (e.g. <b>, <a>. <i>, etc) and everything else will be encoded if you
> specify the onUnknownTag directive.
> On Wed, Sep 21, 2011 at 12:36 PM, Mohamad El-Husseini <
> husseini.mel at gmail.com> wrote:
>> Thank you all. After doing some research on this I realized my approach is
>> I want to allow my users to type whatever they want. What I need is an
>> HTML encoder that will encode everything apart from some designated tags,
>> like <b>, <a>, and <i>. In other words, I need the AntiSamy equivalent for
>> encoding, not sanitizing.
>> I am not aware of something like that, but I'm inclined to think there is.
>> If anyone aware of something, please share.
>> Many thanks.
>> On Wed, Sep 21, 2011 at 12:24 AM, Jason Li <jason.li at owasp.org> wrote:
>>> One way that you could potentially make this behavior is to leverage the
>>> "onUnknownTag" directive.
>>> Using this directive, if a tag is not known (i.e. not explicitly in the
>>> policy file), it will HTML-encode the tag.
>>> You could remove the script tag from the policy file, hypothetically
>>> causing such "unknown" tags to be encoded rather than removed.
>>> Note that I'm not certain off the top of my head if the new current
>>> release still supports this directive or if this strategy would work safely
>>> and accomplish your goal.
>>> On Tue, Sep 20, 2011 at 4:18 PM, Mohamad El-Husseini <
>>> husseini.mel at gmail.com> wrote:
>>>> Hi everyone!
>>>> I want to use AntiSamy to allow users to post code snippets and other
>>>> things. Is it possible to customize AntiSamy to allow script tags that are
>>>> nested in code/pre tags?
>>>> I want to use it in a similar capacity to StackOverFlow: they allow most
>>>> basic HTML, including any tags found inside pre/code tags.
>>>> AntiSamy strips such tags regardless. Is AntiSamy the right tool for
>>>> what I'm trying to do? Andy advice would be appreciated.
>>>> Thank you.
>>>> Owasp-antisamy mailing list
>>>> Owasp-antisamy at lists.owasp.org
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-antisamy