[owasp-antisamy] Escape Arbitrary Html tags

Phani Bhushan Kanakamedala pkanakamedala at modeln.com
Mon Oct 30 11:31:43 UTC 2017


Hi,

  We have implemented Antisamy for our application to escape html tags in
user inputs. Recent security testing on IE9 browser with input value as
*<%/onmouseover=prompt(1)> *is resulting user to prompt for user input
onmouse over. I have gone through Antisamyprofile.xml file and couldn't
find any option as how to escape these arbitrary tags, i event tried with
below directive but didn't help

<directive name="onUnknownTag" value="remove"/>

Can some one help me in this regard as what property setting needs to be
done to remove this tag.

Thanks,
-- 

*Phani Kanakamedala *Architect *|* Model N
* O: *+91 40 45465540   *M: *+91 9000666251
8th Floor, Block-3, DLF Cyber City, Gachibowli, Hyderabad, India

-- 
-------------------------------------------
NOTICE:
This email and all attachments may contain information that is confidential, 
private or protected by attorney-client privilege. If you believe that you 
are not an intended recipient, please do not copy, forward, or rely on the 
contents of this email in any way. Please notify the sender and delete or 
destroy any copy of this email and its attachments. Sender reserves and 
asserts all rights to confidentiality, including all privileges that may 
apply.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-antisamy/attachments/20171030/d23f29c7/attachment.html>


More information about the Owasp-antisamy mailing list