[owasp-antisamy] Losing brackets when using antisamy-anythinggoes-r239.xml

Troy Doty troy.doty at touchnet.com
Fri Oct 19 18:34:59 UTC 2012


Chris,

A few things.  First off, the brackets are not reserved HTML characters, and should not be removed by AntiSamy (and aren't in version 1.4.4 or 1.4.5).  You might double check what is actually being sent to AntiSamy to ensure they are not being removed beforehand.

Secondly, if you are not allowing your users to enter HTML markup, I see no reason in using AntiSamy.  If you just want to validate and clean the input, you should write your own validation (based on business rules) and use a library (such as ESAPI) to encode untrusted output when writing to the page.

I hope this solves your problem, if not, let me know what questions you may still have.

Thanks

________________________________
From: owasp-antisamy-bounces at lists.owasp.org [mailto:owasp-antisamy-bounces at lists.owasp.org] On Behalf Of Chris Tsongas
Sent: Friday, October 19, 2012 12:40 PM
To: owasp-antisamy at lists.owasp.org
Subject: [owasp-antisamy] Losing brackets when using antisamy-anythinggoes-r239.xml


Hi Folks,



I'm new to using antisami, I'm using antisamy-anythinggoes-r239.xml to filter content for an intranet-type ColdFusion site that's for the most part closed to public access. I just implemented an internal email newsletter for their employees, and there's a feature that allows them to put [firstname] in the newsletter content and have the recipient's first name substituted for that when the newsletter gets sent out.



My issue is that antisami is stripping out the brackets around [firstname] so the substitution doesn't work. Wondering if there's a way around that in terms of tweaking the xml file--I couldn't tell where the brackets are being stripped--or if there's another placeholder character besides brackets that wouldn't get stripped.



Thanks,



Chris

_________________________________________________________________

Confidentiality Notice: This electronic mail transmission, including any accompanying attachments, is intended solely for its authorized recipient(s). If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you received this transmission in error, immediately contact the sender and delete the contents and attachments of this message.

Note to recipient: This is an unsecured email service which is not intended for sending confidential or highly sensitive information. Confidential or highly sensitive information includes, but is not limited to, payment card information, social security numbers, and account numbers.
_________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-antisamy/attachments/20121019/4a6ec678/attachment.html>


More information about the Owasp-antisamy mailing list