[Owasp-leaders] OWASP Java HTML Sanitizer project

Jim Manico jim.manico at owasp.org
Thu Oct 6 10:57:52 EDT 2011

OWASP Community,

I'm very pleased to report on the progress of the OWASP Java HTML
Sanitizer project!

This project is a simple Java-based, ultra high-speed, SAX based,
drop-in, low-dependency component that allows defenders and builders to
validate HTML in a way that prevents XSS type attacks.

The project was authored by Mike Samuel from Google. I'm personally
thrilled to see such a senior Google Application Security Engineer
donate such a key project to OWASP!  A good deal of this code was
inspired from the open source Google CAJA project.

Also, August Detlefsen from CodeMagi was kind enough to donate his time
to build http://www.canyouxssthis.com/ - a demo site that lets breakers
test their hacking skill against the OWASP HTML Sanitizer project. We
are going to continue building upon http://www.canyouxssthis.com to
allow attackers to try and break XSS defensive methodologies for all
kinds of input types and contexts. This is a non-commercial site (and
will stay a non-commercial site) and is meant to help us test a variety
of OWASP and other XSS defensive projects like JSoup.

For more information, please see:


Happy breaking, building and defending. :)


Jim Manico
Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host

jim at owasp.org

More information about the OWASP-Leaders mailing list