[owasp-antisamy] Guidance on setting the maxInputSize

Jason Li jason.li at owasp.org
Thu Apr 19 12:34:10 UTC 2012


AntiSamy was originally intended to validate rich-text from untrusted users (think MySpace profiles or eBay auction pages) so the limit is intended to prevent such users from DoS-ing your application by sending huge amounts of HTML.

-Jason

On Apr 18, 2012, at 4:52 PM, Jacob Coulter <jacob.coulter at gmail.com> wrote:

> Hi, 
> 
>   I'm new to the list and attempted to search the archives but I've not had much luck.
> 
>   We have a site that renders back a large html page and it's failing because it exceeds the maxInputSize.  Before just changing this value, I thought I'd ask for guidance on the purpose of this value.
> 
> Specifically, is there some type of known attack that results in an html string with an exceedingly large number of bytes that this is intended to prevent?
> 
> If it's not intended to prevent an attack, is this limit due to concerns for resource utilization and performance?
> 
> If neither, what is the intended purpose of this value?
> 
> I'm trying to understand its original intent so I can understand what risks I'm taking when I make that value larger.
> 
> Thanks,
> 
>   ~ Jacob Coulter
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy


More information about the Owasp-antisamy mailing list