[owasp-antisamy] AntiSamy 1.5.7 released

Arshan Dabirsiaghi arshan.dabirsiaghi at gmail.com
Thu Sep 28 20:32:22 UTC 2017


Hi! No traffic on this list for a year, but things haven't been totally
quiet.

First, we've moved source control to GitHub last year [1].

Second, in December 2016, there was a vulnerability in how style attributes
were validated (if you allowed style markup) reported to us on the github
page, which I'm terrible at keeping up with. It was given CVE-2016-10006
[2] and fixed with 1.5.6.

Third, in July (again, I'm terrible) there was a report of a vulnerability
as new HTML5 entities have become standardized which violate previous
assumptions about the ability to execute JavaScript from event handler
attributes. So, basically, the rug was pulled from under us! This issue is
fixed and was released with 1.5.7 just now [3]. It was given CVE-2017-14735.

We are happy to continue fixing bugs, accepting pull requests, etc.

Thanks,
Arshan

[1] https://github.com/nahsra/antisamy/
[2] https://github.com/nahsra/antisamy/issues/2
[3] https://github.com/nahsra/antisamy/issues/10
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-antisamy/attachments/20170928/087363d2/attachment.html>


More information about the Owasp-antisamy mailing list