[owasp-antisamy] Encoded attack

Jason Li jason.li at owasp.org
Thu Sep 29 10:56:23 EDT 2011


Wei,

AntiSamy is meant to validate and sanitize input only for an HTML context.

The example you provide (%3cscript%3e) *is* safe for an HTML context
assuming that the output is placed directly into the HTML context (without
any further intermediary that might apply encoding or decoding).

If you are concerned about nested encoded attacks to other contexts, you may
want to consider looking at the OWASP ESAPI Codecs and the reference Encoder
implementation.

-Jason

P.S. You should direct questions about AntiSamy to the entire AntiSamy
mailing list as there will likely be someone who can respond more quickly to
your questions - thanks!

On Mon, Sep 26, 2011 at 4:45 PM, Bian, Wei <wbian at fdic.gov> wrote:

>   Hi Jason:****
>
> ** **
>
> Does AntiSamy handle encoded attack?****
>
> Ex: %3Cscript%3E instead of <script> ****
>
> ** **
>
> I looked at the Antisamy test site http://www.antisamy.net/. It looks like
> it will pass any encoded input.****
>
> ** **
>
> Thanks****
>
> Wei****
>
> ** **
>
> ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20110929/bca6fed5/attachment.html 


More information about the Owasp-antisamy mailing list