Wei,<div><br></div><div>AntiSamy is meant to validate and sanitize input only for an HTML context.</div><div><br></div><div>The example you provide (%3cscript%3e) *is* safe for an HTML context assuming that the output is placed directly into the HTML context (without any further intermediary that might apply encoding or decoding).</div>


<div><br></div><div>If you are concerned about nested encoded attacks to other contexts, you may want to consider looking at the OWASP ESAPI Codecs and the reference Encoder implementation.</div><div><br></div><div>-Jason</div>


<div><br></div><div>P.S. You should direct questions about AntiSamy to the entire AntiSamy mailing list as there will likely be someone who can respond more quickly to your questions - thanks!</div><div><br><div class="gmail_quote">


On Mon, Sep 26, 2011 at 4:45 PM, Bian, Wei <span dir="ltr">&lt;<a href="mailto:wbian@fdic.gov" target="_blank">wbian@fdic.gov</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">











<div lang="EN-US" link="blue" vlink="blue">

<div>

<div>

<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">Hi Jason:<u></u><u></u></span></font></p>

<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>

<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy">Does AntiSamy </span></font><font size="2" color="blue" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:blue">handle encoded attack?<u></u><u></u></span></font></p>




<p class="MsoNormal" style="text-autospace:none"><font size="2" color="blue" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:blue">Ex:
%3Cscript%3E instead of &lt;script&gt; <u></u><u></u></span></font></p>

<p class="MsoNormal" style="text-autospace:none"><font size="2" color="blue" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:blue"><u></u> <u></u></span></font></p>

<p class="MsoNormal" style="text-autospace:none"><font size="2" color="blue" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:blue">I looked
at the Antisamy test site <a href="http://www.antisamy.net/" target="_blank">http://www.antisamy.net/</a>.
It looks like it will pass any encoded input.<u></u><u></u></span></font></p>

<p class="MsoNormal" style="text-autospace:none"><font size="2" color="blue" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:blue"><u></u> <u></u></span></font></p>

<p class="MsoNormal" style="text-autospace:none"><font size="2" color="blue" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:blue">Thanks<u></u><u></u></span></font></p>

<p class="MsoNormal" style="text-autospace:none"><font size="2" color="blue" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:blue">Wei<u></u><u></u></span></font></p>

<p class="MsoNormal" style="text-autospace:none"><font size="2" color="blue" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:blue"><u></u> <u></u></span></font></p>

<p class="MsoNormal"><font size="2" color="navy" face="Arial"><span style="font-size:10.0pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>

</div>

</div>

</div>


</blockquote></div><br></div>