[owasp-antisamy] Not Considered as Vulnerable Script

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Tue Mar 12 12:23:44 UTC 2013


I suggest you re-read the message Jason was kind enough to send you. Maybe the AntiSamy policy you have chosen doesn't allow <p>.

The error messages provided by AntiSamy are intended to be helpfully the end user, not an indication of XSS.

Finally, the process of converting broken HTML is not always perfect.

Arshan

On Mar 12, 2013, at 5:10 AM, "Suhas N Gogate" <suhas.gogate at arisglobal.co.in<mailto:suhas.gogate at arisglobal.co.in>> wrote:

Hi,

When <p> is given as input parameter , antisamy finds it as XSS script. But when I give <p>/ or <p>& it is not working as intended.

Please suggest on the same.

Thanks and Regards,
Suhas Gogate N
Team Leader

From: Suhas N Gogate
Sent: Monday, March 11, 2013 9:25 PM
To: 'Owasp-antisamy at lists.owasp.org<mailto:Owasp-antisamy at lists.owasp.org>'
Subject: Not Considered as Vulnerable Script

Hi,

When I gave Input as -1%22%2Balert%281214%29%2B%22' it is not considered as XSS Script in antisamy. Please suggest me how to resolve this

Thanks and Regards,
Suhas Gogate N


________________________________


Disclaimer: This transmission, including attachments, is confidential, proprietary, and may be privileged. It is intended solely for the intended recipient. If you are not the intended recipient, you have received this transmission in error and you are hereby advised that any review, disclosure, copying, distribution, or use of this transmission, or any of the information included therein, is unauthorized and strictly prohibited. If you have received this transmission in error, please immediately notify the sender by reply and permanently delete all copies of this transmission and its attachments.

_______________________________________________
Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org<mailto:Owasp-antisamy at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-antisamy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-antisamy/attachments/20130312/5e0539bf/attachment.html>


More information about the Owasp-antisamy mailing list