[owasp-antisamy] Escape Arbitrary Html tags

Arshan Dabirsiaghi arshan.dabirsiaghi at gmail.com
Mon Oct 30 20:01:41 UTC 2017


You should report an issue on the GitHub issues page if you think there is
a problem [1].

However, when I run AntiSamy (latest) on your input, it gets encoded as
expected:

<%/onmouseover=prompt(1)>

Thanks,

Arshan

[1] https://github.com/nahsra/antisamy/issues



On Mon, Oct 30, 2017 at 7:31 AM, Phani Bhushan Kanakamedala <
pkanakamedala at modeln.com> wrote:

> Hi,
>
>   We have implemented Antisamy for our application to escape html tags in
> user inputs. Recent security testing on IE9 browser with input value as
> *<%/onmouseover=prompt(1)> *is resulting user to prompt for user input
> onmouse over. I have gone through Antisamyprofile.xml file and couldn't
> find any option as how to escape these arbitrary tags, i event tried with
> below directive but didn't help
>
> <directive name="onUnknownTag" value="remove"/>
>
> Can some one help me in this regard as what property setting needs to be
> done to remove this tag.
>
> Thanks,
> --
>
> *Phani Kanakamedala *Architect *|* Model N
> * O: *+91 40 45465540   *M: *+91 9000666251 <+91%2090006%2066251>
> 8th Floor, Block-3, DLF Cyber City, Gachibowli, Hyderabad, India
>
>
>
> -------------------------------------------
> NOTICE:
> This email and all attachments may contain information that is confidential,
> private or protected by attorney-client privilege. If you believe that
> you are not an intended recipient, please do not copy, forward, or rely
> on the contents of this email in any way. Please notify the sender and
> delete or destroy any copy of this email and its attachments. Sender
> reserves and asserts all rights to confidentiality, including all
> privileges that may apply.
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-antisamy/attachments/20171030/ec37c926/attachment.html>


More information about the Owasp-antisamy mailing list