[owasp-antisamy] Prevent HTML Re-writing

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Thu Sep 5 17:34:19 UTC 2013

Unfortunately, this is a required step. Getting the input into a predictable format (a DOM) is necessary to validate it further. Otherwise, malicious input may be able to trick the sanitizer into thinking its in a different parsing context.

I'm not sure you want what you're looking for, anyway. If a user passes in <b> with no closing tag, it will embolden the rest of the content that follows. Restricting the markup to be self-contained is a big part of making sure the user's input isn't affecting the rest of the page.


From: Stephanie <security.stephanie at gmail.com<mailto:security.stephanie at gmail.com>>
Date: Wednesday, September 4, 2013 12:36 PM
To: "owasp-antisamy at lists.owasp.org<mailto:owasp-antisamy at lists.owasp.org>" <owasp-antisamy at lists.owasp.org<mailto:owasp-antisamy at lists.owasp.org>>
Subject: [owasp-antisamy] Prevent HTML Re-writing

Currently, AntiSamy will not only filter the input, but also re-format it to proper HTML. I know this is Neko at work -- is there a way to prevent this -- or is this a critical step in filtering?

The reason I ask is we have input that is best to not be altered -- e.g. maintaining a user's original HTML input (even if mal-formed) but filter for allowed HTML tags and attributes.

The two directives I thought that would impact this are below but they are both set to something that wouldn't change it.
   <directive name="useXHTML"               value="false" />
   <directive name="formatOutput"           value="false" />

Input: <b>
Observed Output: <b></b>
Desired Output: <b>

Current Directives
        <directive name="connectionTimeout"      value="1000" />
        <directive name="embedStyleSheets"       value="false" />
        <directive name="formatOutput"           value="false" />
        <directive name="maxInputSize"           value="100000" />
        <directive name="maxStyleSheetImports"   value="1" />
        <directive name="nofollowAnchors"        value="true" />
        <directive name="omitDoctypeDeclaration" value="true" />
        <directive name="omitXmlDeclaration"     value="true" />
        <directive name="onUnknownTag"           value="remove" />
        <directive name="preserveComments"       value="true" />
        <directive name="preserveSpace"          value="true" />
        <directive name="useXHTML"               value="false" />
        <directive name="validateParamAsEmbed"   value="true" />
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-antisamy/attachments/20130905/c93e982a/attachment.html>

More information about the Owasp-antisamy mailing list