[owasp-antisamy] Not Considered as Vulnerable Script

Jason Li jason.li at owasp.org
Mon Mar 11 16:43:21 UTC 2013


AntiSamy is intended to be an HTML validator, not a cross-site scripting
snippet detector.

The snippet you provide by itself does not by itself result in any
execution of JavaScript. It's only in a certain HTML context that would
cause the snippet to execute.

The intended use case for AntiSamy is a situation where an application must
accept raw, untrusted HTML in a safe way. AnyiSamy validates such input
against a whitelist of safe HTML/CSS.

Hope that clears things up!


On Monday, March 11, 2013, Suhas N Gogate wrote:

>  Hi,
> When I gave Input as *-1%22%2Balert%281214%29%2B%22*' it is not
> considered as XSS Script in antisamy. Please suggest me how to resolve this
> Thanks and Regards,
> Suhas Gogate N
> ------------------------------
> Disclaimer: This transmission, including attachments, is confidential,
> proprietary, and may be privileged. It is intended solely for the intended
> recipient. If you are not the intended recipient, you have received this
> transmission in error and you are hereby advised that any review,
> disclosure, copying, distribution, or use of this transmission, or any of
> the information included therein, is unauthorized and strictly prohibited.
> If you have received this transmission in error, please immediately notify
> the sender by reply and permanently delete all copies of this transmission
> and its attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-antisamy/attachments/20130311/111f95cd/attachment.html>

More information about the Owasp-antisamy mailing list