[owasp-antisamy] Prevent HTML Re-writing

Stephanie security.stephanie at gmail.com
Wed Sep 4 16:36:01 UTC 2013


Currently, AntiSamy will not only filter the input, but also re-format it
to proper HTML. I know this is Neko at work -- is there a way to prevent
this -- or is this a critical step in filtering?

The reason I ask is we have input that is best to not be altered -- e.g.
maintaining a user's original HTML input (even if mal-formed) but filter
for allowed HTML tags and attributes.

The two directives I thought that would impact this are below but they are
both set to something that wouldn't change it.
   <directive name="useXHTML"               value="false" />
   <directive name="formatOutput"           value="false" />

*Example: *
Input: <b>
Observed Output: <b></b>
Desired Output: <b>

*Current Directives*
<directives>
        <directive name="connectionTimeout"      value="1000" />
        <directive name="embedStyleSheets"       value="false" />
        <directive name="formatOutput"           value="false" />
        <directive name="maxInputSize"           value="100000" />
        <directive name="maxStyleSheetImports"   value="1" />
        <directive name="nofollowAnchors"        value="true" />
        <directive name="omitDoctypeDeclaration" value="true" />
        <directive name="omitXmlDeclaration"     value="true" />
        <directive name="onUnknownTag"           value="remove" />
        <directive name="preserveComments"       value="true" />
        <directive name="preserveSpace"          value="true" />
        <directive name="useXHTML"               value="false" />
        <directive name="validateParamAsEmbed"   value="true" />
    </directives>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-antisamy/attachments/20130904/3fdaa29a/attachment.html>


More information about the Owasp-antisamy mailing list