<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:"Trebuchet MS";
        panose-1:2 11 6 3 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
span.EmailStyle20
        {mso-style-type:personal;
        font-family:"Trebuchet MS","sans-serif";
        color:blue;
        font-weight:normal;
        font-style:normal;}
span.EmailStyle21
        {mso-style-type:personal;
        font-family:"Trebuchet MS","sans-serif";
        color:blue;
        font-weight:normal;
        font-style:normal;}
span.EmailStyle22
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle23
        {mso-style-type:personal;
        font-family:"Trebuchet MS","sans-serif";
        color:blue;
        font-weight:normal;
        font-style:normal;}
span.EmailStyle24
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:287204773;
        mso-list-type:hybrid;
        mso-list-template-ids:787632570 -1596310550 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        mso-ansi-font-weight:bold;}
@list l0:level2
        {mso-level-tab-stop:1.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level3
        {mso-level-tab-stop:1.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level4
        {mso-level-tab-stop:2.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-tab-stop:2.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-tab-stop:3.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level7
        {mso-level-tab-stop:3.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-tab-stop:4.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-tab-stop:4.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1
        {mso-list-id:1907759140;
        mso-list-type:hybrid;
        mso-list-template-ids:-785642186 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level2
        {mso-level-tab-stop:1.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level3
        {mso-level-tab-stop:1.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level4
        {mso-level-tab-stop:2.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level5
        {mso-level-tab-stop:2.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level6
        {mso-level-tab-stop:3.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level7
        {mso-level-tab-stop:3.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level8
        {mso-level-tab-stop:4.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level9
        {mso-level-tab-stop:4.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>My initial reference is enough to lead you to water. If you don&#8217;t need rich input, then don&#8217;t use AntiSamy at all and simply escape the string with a JavaScript escaping function like OWASP ESAPI&#8217;s escapeForJavaScript(). If you need it to have rich content, then use AntiSamy on it, then escape it with the same function.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Arshan<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Mogare Amey [mailto:Amey.Mogare@atosorigin.com] <br><b>Sent:</b> Wednesday, May 11, 2011 9:57 AM<br><b>To:</b> Arshan Dabirsiaghi; Jason Li<br><b>Cc:</b> owasp-antisamy@lists.owasp.org<br><b>Subject:</b> RE: [owasp-antisamy] Using Antisamy in URL validation<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Hi Arshan,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Thank you for valuable explanation. I understood your point.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Can you please help me in preventing the type of XSS attack that I am referring to? (XSS on URL parameter)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>In following URL, user has inserted a alert box in one of the URL parameters.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><a href="https://%3chost:port%3e/mypage?url=/search/search%3Fdomain=sinequa%26profile=DAS%26encoding=utf-8">https://&lt;host:port&gt;/mypage?url=/search/search%3Fdomain=sinequa%26profile=DAS%26encoding=utf-8</a> %26token=%26text=x%26selScope=%26advanced=0%26search-btn-submit=Search%26precision=%26strategy=%26sort=globalrelevance.desc%26after=%26before=%26sourcecsv1=%26doctype=%26docformat=%26questionlanguage=autodetect%26documentlanguages=%26treepath-0=%26phonetics=1%26fuzzysearch=1<span style='background:yellow;mso-highlight:yellow'>%27%3balert%281%29</span>//&amp;system=SINEQUA_Search_System<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>How do I prevent this alert from running and load normal page?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Thank you.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>With warm regards,<o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Amey Mogare<o:p></o:p></span></b></p></div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> owasp-antisamy-bounces@lists.owasp.org [mailto:owasp-antisamy-bounces@lists.owasp.org] <b>On Behalf Of </b>Arshan Dabirsiaghi<br><b>Sent:</b> Wednesday, May 11, 2011 7:05 PM<br><b>To:</b> Mogare Amey; Jason Li<br><b>Cc:</b> owasp-antisamy@lists.owasp.org<br><b>Subject:</b> Re: [owasp-antisamy] Using Antisamy in URL validation<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>This is absolutely expected behavior, and I&#8217;ll tell you why. It&#8217;s not changing your input because AntiSamy output is meant to be placed in what we call an &#8220;HTML context&#8221;. The threat AntiSamy addresses is cross-site scripting, and understanding how untrusted user data is reflected back on a page is critical in figuring out how to prevent it. The &#8220;dirtyInput&#8221; you have is a valid XSS proof of concept when data is placed into a JavaScript &#8220;context&#8221; like this:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&lt;script&gt; var a = &#8216;&lt;%=user input%&gt;&#8217;;&lt;/script&gt;<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>However, that context (inside JavaScript) is not where AntiSamy output is safe to put. AntiSamy output should only be between two standard markup tags, like this:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&lt;div&gt;&lt;%=antisamy output%&gt;&lt;/div&gt;<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>In general, the rules that you have to apply to make sure user input doesn&#8217;t cause XSS 100% relies on what &#8220;context&#8221; the data ends up in the HTML response. This, and a lot more details are available in [1]. But, bottom line is, if you really need AntiSamy output to be inside JavaScript, you should take the AntiSamy output and run it through a JavaScript encoding/escaping function before putting it in your view.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Arshan<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>[1] <a href="https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet">https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> owasp-antisamy-bounces@lists.owasp.org [mailto:owasp-antisamy-bounces@lists.owasp.org] <b>On Behalf Of </b>Mogare Amey<br><b>Sent:</b> Wednesday, May 11, 2011 5:49 AM<br><b>To:</b> Jason Li<br><b>Cc:</b> owasp-antisamy@lists.owasp.org<br><b>Subject:</b> Re: [owasp-antisamy] Using Antisamy in URL validation<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Hi Jason,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>I could run my code with following JARs: -<o:p></o:p></span></p><p class=MsoNormal style='text-indent:.5in'><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>batik-css.jar<o:p></o:p></span></p><p class=MsoNormal style='text-indent:.5in'><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>nekohtml.jar<o:p></o:p></span></p><p class=MsoNormal style='text-indent:.5in'><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>xerces-2.0.2.jar<o:p></o:p></span></p><p class=MsoNormal style='text-indent:.5in'><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>xml-apis.jar<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>However, it is not able to remove coding for alert box from dirtyInput. <i>(have a look at the URL in my previous mail below)<o:p></o:p></i></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>I tried all Policy files but none of them gave any success.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Here is what I tried </span><span style='font-size:10.0pt;font-family:Wingdings;color:blue'></span><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo2;text-autospace:none'><![if !supportLists]><b><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp; </span></span></span></b><![endif]><b><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Fails<o:p></o:p></span></b></p><p class=MsoListParagraph style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";color:black;background:white;mso-highlight:white'>String</span><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'> <span style='color:black'>dirtyInput</span> <span style='color:black'>=</span> <span style='color:#2A00FF'>&quot;</span><span style='color:#3F7F5F'>1';alert(1)//</span><span style='color:#2A00FF'>&quot;</span><span style='color:black'>;</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoListParagraph style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";color:black;background:white;mso-highlight:white'>Policy</span><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'> <span style='color:black'>policy</span> <span style='color:black'>=</span> <span style='color:black'>Policy.getInstance(POLICY_FILE_LOCATION);</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoListParagraph style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";color:black;background:white;mso-highlight:white'>AntiSamy</span><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'> <span style='color:black'>as</span> <span style='color:black'>=</span> <b><span style='color:#7F0055'>new</span></b> <span style='color:black'>AntiSamy();</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoListParagraph style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";color:black;background:white;mso-highlight:white'>CleanResults</span><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'> <span style='color:black'>cr</span> <span style='color:black'>=</span> <span style='color:black'>as.scan(dirtyInput,</span> <span style='color:black'>policy);</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoListParagraph style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";color:black;background:white;mso-highlight:white'>String</span><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'> <span style='color:black'>cleanInput</span> <span style='color:black'>=</span> <span style='color:black'>cr.getCleanHTML();</span></span><span style='font-size:10.0pt;font-family:"Courier New";color:black'><o:p></o:p></span></p><p class=MsoListParagraph style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";color:black'><o:p>&nbsp;</o:p></span></p><p class=MsoListParagraph style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";color:black'>This prints dirtyInput as it is. </span><span style='font-size:10.0pt;font-family:Wingdings;color:black'>L</span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoListParagraph style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'><o:p>&nbsp;</o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo2;text-autospace:none'><![if !supportLists]><b><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp; </span></span></span></b><![endif]><b><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Works fine<o:p></o:p></span></b></p><p class=MsoListParagraph style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";color:black;background:white;mso-highlight:white'>String</span><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'> <span style='color:black'>dirtyInput</span> <span style='color:black'>=</span> <span style='color:#2A00FF'>&quot;</span><span style='color:#3F7F5F'>123&lt;script&gt;alert(1)&lt;/script&gt;</span><span style='color:#2A00FF'>&quot;</span><span style='color:black'>;</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoListParagraph style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";color:black;background:white;mso-highlight:white'>Policy</span><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'> <span style='color:black'>policy</span> <span style='color:black'>=</span> <span style='color:black'>Policy.getInstance(POLICY_FILE_LOCATION);</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoListParagraph style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";color:black;background:white;mso-highlight:white'>AntiSamy</span><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'> <span style='color:black'>as</span> <span style='color:black'>=</span> <b><span style='color:#7F0055'>new</span></b> <span style='color:black'>AntiSamy();</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoListParagraph style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";color:black;background:white;mso-highlight:white'>CleanResults</span><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'> <span style='color:black'>cr</span> <span style='color:black'>=</span> <span style='color:black'>as.scan(dirtyInput,</span> <span style='color:black'>policy);</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoListParagraph style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";color:black;background:white;mso-highlight:white'>String</span><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'> <span style='color:black'>cleanInput</span> <span style='color:black'>=</span> <span style='color:black'>cr.getCleanHTML();</span></span><span style='font-size:10.0pt;font-family:"Courier New";color:black'><o:p></o:p></span></p><p class=MsoListParagraph style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";color:black'><o:p>&nbsp;</o:p></span></p><p class=MsoListParagraph style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";color:black'>This prints 123</span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Any idea what is going wrong in case-1?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Also, is there any document on how to prepare policy files? I am not able to understand how do I add new condition in Policy files.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Please help.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Thank you.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>With warm regards,<o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Amey Mogare<o:p></o:p></span></b></p></div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Mogare Amey <br><b>Sent:</b> Wednesday, May 11, 2011 11:58 AM<br><b>To:</b> 'Jason Li'<br><b>Cc:</b> owasp-antisamy@lists.owasp.org<br><b>Subject:</b> RE: [owasp-antisamy] Using Antisamy in URL validation<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Hi Jason,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Thank you for reply. It was very helpful.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>I have following queries </span><span style='font-size:10.0pt;font-family:Wingdings;color:blue'></span><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo4'><![if !supportLists]><b><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp; </span></span></span></b><![endif]><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>I want to use Antisamy for avoiding XSS attacks by cleaning the input data coming to server.<o:p></o:p></span></p><p class=MsoNormal style='text-indent:.5in'><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Following is URL with XSS attack on my application which I want to clean </span><span style='font-size:10.0pt;font-family:Wingdings;color:blue'></span><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><a href="https://%3chost:port%3e/mypage?url=/search/search%3Fdomain=sinequa%26profile=DAS%26encoding=utf-8">https://&lt;host:port&gt;/mypage?url=/search/search%3Fdomain=sinequa%26profile=DAS%26encoding=utf-8</a> %26token=%26text=x%26selScope=%26advanced=0%26search-btn-submit=Search%26precision=%26strategy=%26sort=globalrelevance.desc%26after=%26before=%26sourcecsv1=%26doctype=%26docformat=%26questionlanguage=autodetect%26documentlanguages=%26treepath-0=%26phonetics=1%26fuzzysearch=1<span style='background:yellow;mso-highlight:yellow'>%27%3balert%281%29</span>//&amp;system=SINEQUA_Search_System<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal style='text-indent:.5in'><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Here you can see that &#8216;fuzzysearch&#8217; parameter is containing an alert box.<o:p></o:p></span></p><p class=MsoNormal style='text-indent:.5in'><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal style='text-indent:.5in'><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Can Antisamy be use to avoid such attacks? If yes, how?<o:p></o:p></span></p><p class=MsoNormal style='text-indent:.5in'><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo4'><![if !supportLists]><b><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp; </span></span></span></b><![endif]><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>My applications are using Java 1.4 (j2sdk1.4.2_16). <o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Can Antisamy JAR (antisamy-1.4.4.jar) be used with it?<o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoListParagraph><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>If no, where can I download suitable JAR?<o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo4'><![if !supportLists]><b><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp; </span></span></span></b><![endif]><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>What are the dependant JARs that &#8216;antisamy-1.4.4.jar&#8217; need?<o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>I saw from your reply </span><span style='font-size:10.0pt;font-family:Wingdings;color:blue'></span><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'> <a href="https://lists.owasp.org/pipermail/owasp-antisamy/2010-October/000353.html">https://lists.owasp.org/pipermail/owasp-antisamy/2010-October/000353.html</a> that it needs following JARs?<o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoListParagraph><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>* Apache Xerces 2.8.1<o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>* Apache Batik-CSS 1.7<o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>* NekoHTML 1.9.12<o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>* Apache Commons HTTP-Client 3.1<o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoListParagraph><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>From where do I download these JARs?<o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoListParagraph><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Are these versions compatible for Java 1.4? If no, please let me know correct version.<o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo4'><![if !supportLists]><b><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><span style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp; </span></span></span></b><![endif]><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>I tried it in my Java class for testing purpose, but it gives following exception: -<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal style='text-indent:.5in;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";color:red;background:white;mso-highlight:white'>java.lang.NoClassDefFoundError: org/apache/batik/css/parser/ParseException</span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";color:red;background:white;mso-highlight:white'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:107)</span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";color:red;background:white;mso-highlight:white'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; at XssTestMain.main(XssTestMain.java:37)</span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-indent:.5in'><span style='font-size:10.0pt;font-family:"Courier New";color:red;background:white;mso-highlight:white'>Exception in thread &quot;main&quot;</span><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal style='text-indent:.5in'><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>This is my XssTestMain.java </span><span style='font-size:10.0pt;font-family:Wingdings;color:blue'></span><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span><b><span style='font-size:10.0pt;font-family:"Courier New";color:#7F0055;background:white;mso-highlight:white'>import</span></b><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'> <span style='color:black'>org.owasp.validator.html.AntiSamy;</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-indent:.5in;text-autospace:none'><b><span style='font-size:10.0pt;font-family:"Courier New";color:#7F0055;background:white;mso-highlight:white'>import</span></b><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'> <span style='color:black'>org.owasp.validator.html.CleanResults;</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-indent:.5in;text-autospace:none'><b><span style='font-size:10.0pt;font-family:"Courier New";color:#7F0055;background:white;mso-highlight:white'>import</span></b><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'> <span style='color:black'>org.owasp.validator.html.Policy;</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-indent:.5in;text-autospace:none'><b><span style='font-size:10.0pt;font-family:"Courier New";color:#7F0055;background:white;mso-highlight:white'>import</span></b><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'> <span style='color:black'>org.owasp.validator.html.PolicyException;</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-indent:.5in;text-autospace:none'><b><span style='font-size:10.0pt;font-family:"Courier New";color:#7F0055;background:white;mso-highlight:white'>import</span></b><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'> <span style='color:black'>org.owasp.validator.html.ScanException;</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-indent:.5in;text-autospace:none'><b><span style='font-size:10.0pt;font-family:"Courier New";color:#7F0055;background:white;mso-highlight:white'>public</span></b><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'> <b><span style='color:#7F0055'>class</span></b> <span style='color:black'>XssTestMain</span> <span style='color:black'>{</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-indent:.5in;text-autospace:none'><b><span style='font-size:10.0pt;font-family:"Courier New";color:#7F0055;background:white;mso-highlight:white'>public</span></b><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'> <b><span style='color:#7F0055'>static</span></b> <b><span style='color:#7F0055'>void</span></b> <span style='color:black'>main(String[]</span> <span style='color:black'>args)</span> <span style='color:black'>{</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <b><span style='color:#7F0055'>try</span></b> <span style='color:black'>{</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='color:black'>String</span> <span style='color:black'>POLICY_FILE_LOCATION</span> <span style='color:black'>=</span> <span style='color:#2A00FF'>&quot;C:/AMEY/SAP NWDS_7.01.3/WorkspaceAmey/XssTest/antisamy-esapi.xml&quot;</span><span style='color:black'>;</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='color:black'>String</span> <span style='color:black'>dirtyInput</span> <span style='color:black'>=</span> <span style='color:#2A00FF'>&quot;1%27%3balert%281%29&quot;</span><span style='color:black'>;</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='color:black'>System.out.println(</span><span style='color:#2A00FF'>&quot;dirtyInput : \n&quot;</span><span style='color:black'>+dirtyInput);</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='color:black'>Policy</span> <span style='color:black'>policy</span> <span style='color:black'>=</span> <span style='color:black'>Policy.getInstance(POLICY_FILE_LOCATION);</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='color:black'>AntiSamy</span> <span style='color:black'>as</span> <span style='color:black'>=</span> <b><span style='color:#7F0055'>new</span></b> <span style='color:black'>AntiSamy();</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='color:black'>CleanResults</span> <span style='color:black'>cr</span> <span style='color:black'>=</span> <span style='color:black'>as.scan(dirtyInput,</span> <span style='color:black'>policy);</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='color:black'>String</span> <span style='color:black'>cleanInput</span> <span style='color:black'>=</span> <span style='color:black'>cr.getCleanHTML();</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='color:black'>System.out.println(</span><span style='color:#2A00FF'>&quot;\ncleanInput : \n&quot;</span><span style='color:black'>+cleanInput);</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='color:black'>}</span> <b><span style='color:#7F0055'>catch</span></b> <span style='color:black'>(PolicyException</span> <span style='color:black'>e)</span> <span style='color:black'>{</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='color:#3F7F5F'>// </span><b><span style='color:#7F9FBF'>TODO</span></b><span style='color:#3F7F5F'> Auto-generated catch block</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='color:black'>e.printStackTrace();</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='color:black'>}</span> <b><span style='color:#7F0055'>catch</span></b> <span style='color:black'>(ScanException</span> <span style='color:black'>e)</span> <span style='color:black'>{</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='color:#3F7F5F'>// </span><b><span style='color:#7F9FBF'>TODO</span></b><span style='color:#3F7F5F'> Auto-generated catch block</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='color:black'>e.printStackTrace();</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";background:white;mso-highlight:white'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='color:black'>}</span></span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-indent:.5in;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";color:black;background:white;mso-highlight:white'>}</span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal style='text-indent:.5in;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";color:black;background:white;mso-highlight:white'>}</span><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Thank you.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>With warm regards,<o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'>Amey Mogare<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:blue'><o:p>&nbsp;</o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Jason Li [mailto:jason.li@owasp.org] <br><b>Sent:</b> Tuesday, May 10, 2011 11:57 PM<br><b>To:</b> Mogare Amey<br><b>Cc:</b> owasp-antisamy@lists.owasp.org<br><b>Subject:</b> Re: [owasp-antisamy] Using Antisamy in URL validation<o:p></o:p></span></p></div><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>Mogare,<o:p></o:p></p><div><p class=MsoNormal><o:p>&nbsp;</o:p></p></div><div><p class=MsoNormal>AntiSamy policy files are available here:<o:p></o:p></p></div><div><p class=MsoNormal><a href="http://code.google.com/p/owaspantisamy/downloads/list">http://code.google.com/p/owaspantisamy/downloads/list</a><o:p></o:p></p></div><div><p class=MsoNormal><o:p>&nbsp;</o:p></p></div><div><p class=MsoNormal>The AntiSamy Project is meant to validate user generated rich text (HTML) input against a whitelist specification of safe HTML elements in order to prevent cross-site scripting. It does not provide any other type of validation.&nbsp;Depending on your use case, AntiSamy may or may not be appropriate for your requirements.<o:p></o:p></p></div><div><p class=MsoNormal><o:p>&nbsp;</o:p></p></div><div><p class=MsoNormal>You will need to identify the parameter you wish to validate and pass that parameter value into the AntiSamy scanner.&nbsp;For example, assuming the parameter containing user generated rich text input was named &quot;inputHtml&quot;, AntiSamy can be invoked as follows:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>String dirtyInput = request.getParameter(&quot;inputHtml&quot;);<br>Policy policy = Policy.getInstance(INSERT_YOUR_POLICY_FILE_LOCATION);<br>AntiSamy as = new AntiSamy(policy);<br>CleanResults cr = as.scan(dirtyInput);<br>String cleanInput = cr.getCleanHTML();<o:p></o:p></p></blockquote><div><p class=MsoNormal>Again, note that AntiSamy is not a universal validator - it's specific use case is to validate user generated rich text input.<o:p></o:p></p></div><div><p class=MsoNormal><o:p>&nbsp;</o:p></p></div><div><p class=MsoNormal>-Jason<o:p></o:p></p></div><div><p class=MsoNormal><o:p>&nbsp;</o:p></p></div><div><div><p class=MsoNormal>On Tue, May 10, 2011 at 9:13 AM, Mogare Amey &lt;<a href="mailto:Amey.Mogare@atosorigin.com">Amey.Mogare@atosorigin.com</a>&gt; wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Hi,<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I want to use Antisamy API to clean URL parameters.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I read the details on <a href="https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project" target="_blank">https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project</a><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>And downloaded &#8220;antisamy-1.4.4.jar&#8221; and imported in my java class.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I don&#8217;t know how to download base policy file mentioned in above URL. Where do get it?<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Can you please help me in achieving my requirement? <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Which method I should use to clean URL parameters?<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thank you.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>With warm regards,<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>Amey Mogare</b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><i><u>Atos Origin India | SAP NetWeaver/ EP/ Web Dynpro | Nessie NDC : Production Line - SAP | Email : <a href="mailto:Amey.mogare@atosorigin.com" target="_blank">Amey.mogare@atosorigin.com</a> | Office : <a href="tel:%2B91-22-6733-3732" target="_blank">+91-22-6733-3732</a> | Mobile : <a href="tel:%2B91-9820-303-464" target="_blank">+91-9820-303-464</a></u></i><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Owasp-antisamy mailing list<br><a href="mailto:Owasp-antisamy@lists.owasp.org">Owasp-antisamy@lists.owasp.org</a><br><a href="https://lists.owasp.org/mailman/listinfo/owasp-antisamy" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-antisamy</a><o:p></o:p></p></div><p class=MsoNormal><o:p>&nbsp;</o:p></p></div></div></body></html>