[owasp-antisamy] AntiSamy not able to figure out the closing tags in custom XML and its truncating all of its child elements.

manjutimes manjutimes at gmail.com
Mon Jul 6 20:01:03 UTC 2015


[Continuation of previous mail:]

issue 1: AntiSamy has issue scanning custom/project specific XMLs:
We fixed it by adding our project specific XML Tags to <allowed-empty-tags>
in AntiSamy Rules XML. The problem with this approach is, we had to add all
project specific XML tags to the following list. we had around 150 of them,
and we need to add all of it.
Eg:
<allowed-empty-tags>
<literal-list>
<literal value="ackId"/>
<literal value="action"/>
<literal value="ACV"/>
           .
           .
           .

</literal-list>
</allowed-empty-tags>

issue 2:  AntiSamy is converting all project specific custom XML tags to
lowercase :
We took the source of antisamy-1.5.3.jar and had to customize it in order
to suite our project need. In our project, the XML's had to preserve its
"case" when it is transferred. But when it is passed through antisamy it
was converting all of it in to Lowercase, this includes both i.e. Elements
as well as its attributes. So we customized antisamy-1.5.3 and introduced 2
new directives, which is as follows:

   <!-- values: "lower","upper", "match"-->
<directive name="parseRecognizedElementName" value="match"/>


We modified org.owasp.validator.html.scan.AntiSamyDOMScanner.java to accept
values from above directives.. By default the parser which was defined in
AntiSamyDOMScanner.java was setting its property to convert all XML tags to
lower case. So we modified it to use "match" in order to preserve Elements
"case". This value is supplied through new directive and it is part of
antisamy Rules XML.

Actual code:
parser.setProperty("http://cyberneko.org/html/properties/names/elems",
"lower");

Changed to:
 parser.setProperty("http://cyberneko.org/html/properties/names/elems",
InternalPolicy.parseRecognizedElementName);



We also introduced a new directive to preserve "case" of each Attributes
with in custom/project specific Elements:

  <!-- values: "lower","upper", "no-change"-->
<directive name="parseRecognizedAttributeName" value="no-change"/>


We added the following piece of code to AntiSamyDOMScanner.java:

parser.setProperty("http://cyberneko.org/html/properties/names/attrs",
InternalPolicy.parseRecognizedAttributeName);


So will these changes will be actually taken care in the upcoming AntiSamy
release?
otherwise it will be a problem for us when a new version is released. its
like we will have to again modify the code to suite our needs.

Thanks
Manju




On Mon, Jul 6, 2015 at 2:38 PM, manjutimes <manjutimes at gmail.com> wrote:

> issue 1: AntiSamy has issue scanning custom/project specific XMLs:
> We fixed it by adding our project specific XML Tags
> to <allowed-empty-tags> in AntiSamy Rules XML.
> Eg:
> <allowed-empty-tags>
> <literal-list>
> <literal value="ackId"/>
> <literal value="action"/>
> <literal value="ACV"/>
>
>
>
>
>
>
>
>
>
> On Tue, Jun 30, 2015 at 7:00 AM, <owasp-antisamy-request at lists.owasp.org>
> wrote:
>
>> Send Owasp-antisamy mailing list submissions to
>>         owasp-antisamy at lists.owasp.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>         https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>> or, via email, send a message with subject or body 'help' to
>>         owasp-antisamy-request at lists.owasp.org
>>
>> You can reach the person managing the list at
>>         owasp-antisamy-owner at lists.owasp.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Owasp-antisamy digest..."
>>
>>
>> Today's Topics:
>>
>>    1. AntiSamy not able to figure out the closing tags in custom
>>       XML and its truncating all of its child elements. (manjutimes)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Mon, 29 Jun 2015 16:00:46 -0500
>> From: manjutimes <manjutimes at gmail.com>
>> To: owasp-antisamy at lists.owasp.org
>> Subject: [owasp-antisamy] AntiSamy not able to figure out the closing
>>         tags in custom XML and its truncating all of its child elements.
>> Message-ID:
>>         <CAPObgJA614c+7qu62ydG=x5rod2gwUh126Jw0DTOx7=h7LB=
>> Ww at mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Hi,
>> We are trying to configure AntiSamy to our project and we came across 2
>> following issues:
>> 1. AntiSamy has issue scanning custom/project specific XML?s:
>>      For instance when the message is in the following XML format, It?s
>> not
>> able to figure out the abbreviated closing tag and there by its truncating
>> all of its child elements.
>>       The following request and response data shows it all. We are
>> currently using *antisamy-1.4.4.jar* and have added *<directive
>> name="onUnknownTag" value="encode"/> *to RULES XML. Is there any other
>> directive that we need to include in RULES XML to get rid of it?  I even
>> tried with *antisamy-1.5.3.jar*, but no luck.
>>
>>
>>
>> *Request which is passed from UI:*
>>
>> <Flight>
>>
>>            <Designator airline="RR" number="7010"/>
>>
>>            <DateRange end="05/14/2015" start="05/14/2015"/>
>>
>>            <Frequency days="   4   "/>
>>
>>   </Flight>
>>
>>
>>
>> * Response that we get back from AntiSamy *:
>>
>>                 <flight> </flight>
>>
>>
>> 2.  In the response , AntiSamy is converting all the XML tags to
>> lowercase.
>> It?s not preserving the ?case? of each tag.  And there is no configuration
>> defined to omit such conversion, Do      we? I saw similar post
>> https://lists.owasp.org/pipermail/owasp-antisamy/2008-May/000045.html ,
>> but
>> i dint find any solution defined to the issue.
>>
>>
>> Could you please revert back with possible solution/suggestions.. Looking
>> forward. This is little urgent.
>>
>>
>> Thanks
>>
>> Manju
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> http://lists.owasp.org/pipermail/owasp-antisamy/attachments/20150629/7f07d431/attachment-0001.html
>> >
>>
>> ------------------------------
>>
>> _______________________________________________
>> Owasp-antisamy mailing list
>> Owasp-antisamy at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>
>>
>> End of Owasp-antisamy Digest, Vol 69, Issue 1
>> *********************************************
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-antisamy/attachments/20150706/2b2e419e/attachment-0001.html>


More information about the Owasp-antisamy mailing list