[owasp-antisamy] Losing brackets when using antisamy-anythinggoes-r239.xml

Chris Tsongas chris.tsongas at bitmojo.com
Fri Oct 19 23:34:35 UTC 2012

Hi Troy,
Sorry for the false alarm, you are correct that my brackets were not being bothered. The newsletter is HTML and people can put in links, images, etc. as well as edit the source code so I figured some XSS protection would be good and my security guy recommended antisamy. Not familiar with ESAPI.
-----Original Message-----
From: "Troy Doty" <troy.doty at touchnet.com>
Sent: Friday, October 19, 2012 11:34am
To: "'Chris Tsongas'" <chris.tsongas at bitmojo.com>, "owasp-antisamy at lists.owasp.org" <owasp-antisamy at lists.owasp.org>
Subject: RE: [owasp-antisamy] Losing brackets when using antisamy-anythinggoes-r239.xml

A few things.  First off, the brackets are not reserved HTML characters, and should not be removed by AntiSamy (and aren’t in version  1.4.4 or 1.4.5).  You might double check what is actually being sent to AntiSamy to ensure they are not being removed beforehand.
Secondly, if you are not allowing your users to enter HTML markup, I see no reason in using AntiSamy.  If you just want to validate and  clean the input, you should write your own validation (based on business rules) and use a library (such as ESAPI) to encode untrusted output when writing to the page.
I hope this solves your problem, if not, let me know what questions you may still have.

From: owasp-antisamy-bounces at lists.owasp.org  [mailto:owasp-antisamy-bounces at lists.owasp.org] On Behalf Of Chris Tsongas
Sent: Friday, October 19, 2012 12:40 PM
To: owasp-antisamy at lists.owasp.org
Subject: [owasp-antisamy] Losing brackets when using antisamy-anythinggoes-r239.xml
Hi Folks,
I'm new to using antisami, I'm using antisamy-anythinggoes-r239.xml to filter content for an intranet-type ColdFusion site that's for  the most part closed to public access. I just implemented an internal email newsletter for their employees, and there's a feature that allows them to put [firstname] in the newsletter content and have the recipient's first name substituted for that when the  newsletter gets sent out.
My issue is that antisami is stripping out the brackets around [firstname] so the substitution doesn't work. Wondering if there's a way  around that in terms of tweaking the xml file--I couldn't tell where the brackets are being stripped--or if there's another placeholder character besides brackets that wouldn't get stripped.

Confidentiality Notice: This electronic mail transmission, including any accompanying attachments, is intended solely for its authorized recipient(s). If you are not the intended recipient, please be aware that any disclosure, copying, distribution or  use of the contents of this message is strictly prohibited. If you received this transmission in error, immediately contact the sender and delete the contents and attachments of this message. 

 Note to recipient: This is an unsecured email service which is not intended for sending confidential or highly sensitive information. Confidential or highly sensitive information includes, but is not limited to, payment card information, social security numbers,  and account numbers. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-antisamy/attachments/20121019/ab9b1b69/attachment-0001.html>

More information about the Owasp-antisamy mailing list