[owasp-antisamy] Attribute Encoding should not occur for all cases

Stephanie S security.stephanie at gmail.com
Thu Aug 23 20:57:27 UTC 2012


Actually, I think we can disregard my question.

The conversion of & to & in URLs is considered ok by browsers and is
part of XHTML. If you do NOT want this to happen, then change the useXHTML
directive to false and it stops.

http://www.w3.org/TR/xhtml1/guidelines.html#C_12

Excerpt from W3 XHTML guidelines:
In order to ensure that documents are compatible with historical HTML user
agents and XML-based user agents, ampersands used in a document that are to
be treated as literal characters must be expressed themselves as an entity
reference (e.g. "&"). For example, when thehref attribute of the a element
refers to a CGI script that takes parameters, it must be expressed as
http://my.site.dom/cgi-bin/myscript.pl?class=guest&name=user rather
than as http://my.site.dom/cgi-bin/myscript.pl?class=guest&name=user.




On Wed, Aug 22, 2012 at 5:27 PM, Stephanie S
<security.stephanie at gmail.com>wrote:

> Hello,
>
> I see from a similar thread that HTML attribute values are getting encoded
> but my question is about URLs that would appear in attributes.
> https://lists.owasp.org/pipermail/owasp-antisamy/2010-February/000305.html
>
> The question is -- is it happening across the board and is there a way to
> stop that? Even for <a href=xxx>? Or <iframe src=xxx>?
>
> *Example: *
>
> *Enter:*
> <iframe src="
> http://mywebsite/abc?cmd=render&width=500&height=300&sourceId=lMbKxesO0L8
> ">
> <a href="
> http://mywebsite/abc?cmd=render&width=500&height=300&sourceId=lMbKxesO0L8
> ">
>
> *Post-Antisamy Expected result: *
> <iframe src="
> http://mywebsite/abc?cmd=render&width=500&height=300&sourceId=lMbKxesO0L8">
>
> <a href="
> http://mywebsite/abc?cmd=render&width=500&height=300&sourceId=lMbKxesO0L8">
>
>
> *Post-Antisamy Observed result:*
> <iframe src="
> http://mywebsite/abc?cmd=render&width=500&height=300&sourceId=lMbKxesO0L8<http://mywebsite/abc?cmd=render&width=500&height=300&sourceId=lMbKxesO0L8>
> ">
> <a href="
> http://mywebsite/abc?cmd=render&width=500&height=300&sourceId=lMbKxesO0L8<http://mywebsite/abc?cmd=render&width=500&height=300&sourceId=lMbKxesO0L8>
> ">
>
>
> Am I missing a setting/directive? URLs shouldn't be treated like any other
> HTML attribute -- that would break intended functionality.
>
> Thanks in advance,
> Stephanie
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-antisamy/attachments/20120823/467f7665/attachment.html>


More information about the Owasp-antisamy mailing list