[owasp-antisamy] Is it possible to use AntiSamy and keep code in pre/code tags intact?

augustd augustd at codemagi.com
Wed Sep 21 18:02:06 EDT 2011


If you have set AntiSamy to encode everything but <b>, <a>. <i>, etc, what
happens if a user posts a code snippet that includes a <b> tag for example?
It will not be properly encoded inside the code snippet, instead, you will
get bolded code!

<p>code code *bold code* code code code</p>

What would really be needed to accomplish this would be a new AntiSamy *
action*:

<tag name="pre" action="encodeContents"/>

-August


On Wed, Sep 21, 2011 at 11:19 AM, Jason Li <jason.li at owasp.org> wrote:

> I *think* the approach I outlined can potentially accomplish this idea.
>
> My recollection is that with the onUnknownTag, anything not in the policy
> file will be encoded.
>
> Hence, you can fill the policy file with *just* the designated tags you
> want (e.g. <b>, <a>. <i>, etc) and everything else will be encoded if you
> specify the onUnknownTag directive.
>
> -Jason
>
> On Wed, Sep 21, 2011 at 12:36 PM, Mohamad El-Husseini <
> husseini.mel at gmail.com> wrote:
>
>> Thank you all. After doing some research on this I realized my approach is
>> wrong.
>>
>> I want to allow my users to type whatever they want. What I need is an
>> HTML encoder that will encode everything apart from some designated tags,
>> like <b>, <a>, and <i>.  In other words, I need the AntiSamy equivalent for
>> encoding, not sanitizing.
>>
>> I am not aware of something like that, but I'm inclined to think there is.
>> If anyone aware of something, please share.
>>
>> Many thanks.
>>
>>
>> On Wed, Sep 21, 2011 at 12:24 AM, Jason Li <jason.li at owasp.org> wrote:
>>
>>> Mohamad,
>>>
>>> One way that you could potentially make this behavior is to leverage the
>>> "onUnknownTag" directive.
>>>
>>> Using this directive, if a tag is not known (i.e. not explicitly in the
>>> policy file), it will HTML-encode the tag.
>>>
>>> You could remove the script tag from the policy file, hypothetically
>>> causing such "unknown" tags to be encoded rather than removed.
>>>
>>> Note that I'm not certain off the top of my head if the new current
>>> release still supports this directive or if this strategy would work safely
>>> and accomplish your goal.
>>>
>>> -Jason
>>>
>>> On Tue, Sep 20, 2011 at 4:18 PM, Mohamad El-Husseini <
>>> husseini.mel at gmail.com> wrote:
>>>
>>>> Hi everyone!
>>>>
>>>> I want to use AntiSamy to allow users to post code snippets and other
>>>> things. Is it possible to customize AntiSamy to allow script tags that are
>>>> nested in code/pre tags?
>>>>
>>>> I want to use it in a similar capacity to StackOverFlow: they allow most
>>>> basic HTML, including any tags found inside pre/code tags.
>>>>
>>>> AntiSamy strips such tags regardless. Is AntiSamy the right tool for
>>>> what I'm trying to do? Andy advice would be appreciated.
>>>>
>>>> Thank you.
>>>>
>>>> _______________________________________________
>>>> Owasp-antisamy mailing list
>>>> Owasp-antisamy at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>>>
>>>>
>>>
>>
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20110921/ad523e34/attachment-0001.html 


More information about the Owasp-antisamy mailing list