[owasp-antisamy] Attribute Encoding should not occur for all cases

Stephanie S security.stephanie at gmail.com
Wed Aug 22 21:27:58 UTC 2012


Hello,

I see from a similar thread that HTML attribute values are getting encoded
but my question is about URLs that would appear in attributes.
https://lists.owasp.org/pipermail/owasp-antisamy/2010-February/000305.html

The question is -- is it happening across the board and is there a way to
stop that? Even for <a href=xxx>? Or <iframe src=xxx>?

*Example: *

*Enter:*
<iframe src="
http://mywebsite/abc?cmd=render&width=500&height=300&sourceId=lMbKxesO0L8">
<a href="
http://mywebsite/abc?cmd=render&width=500&height=300&sourceId=lMbKxesO0L8">

*Post-Antisamy Expected result: *
<iframe src="
http://mywebsite/abc?cmd=render&width=500&height=300&sourceId=lMbKxesO0L8">
<a href="
http://mywebsite/abc?cmd=render&width=500&height=300&sourceId=lMbKxesO0L8">


*Post-Antisamy Observed result:*
<iframe src="
http://mywebsite/abc?cmd=render&width=500&height=300&sourceId=lMbKxesO0L8
">
<a href="
http://mywebsite/abc?cmd=render&width=500&height=300&sourceId=lMbKxesO0L8
">


Am I missing a setting/directive? URLs shouldn't be treated like any other
HTML attribute -- that would break intended functionality.

Thanks in advance,
Stephanie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-antisamy/attachments/20120822/9222aaa4/attachment.html>


More information about the Owasp-antisamy mailing list