[Owasp-leaders] AntiSamy

Jim Manico jim.manico at owasp.org
Sun Feb 3 18:12:38 UTC 2013


The Microsoft AntiXSS .NET function that provides HTML validation does not provide advanced policy configuration like AntiSamy.

So while I think most .NET coders will use the default API (at best), I do think a .NET AntiSamy is still important.

My 2 cents,
Jim



> I am aswell, is the .NET project still needing attention or is the MS
> version superseded. We could improve on it?
> 
> Thoughts?
> On Feb 3, 2013 11:44 AM, "Jim Manico" <jim.manico at owasp.org> wrote:
> 
>>  I'm very excited to see the AntiSamy projects recent update! Nice work,
>> folks.
>>
>> https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
>>
>> *****
>>
>> After over a year, version 1.5 is finally released!
>>
>> This version requires java 1.5.
>>
>> 1.5 promises to be significantly faster than previous releases; your
>> mileage will vary anything from just some percent to a full 5 times faster,
>> depending on use cases. A lot of attention has been put to typical "server"
>> validation cases in this release.
>>
>> The DOM parser is still the fastest by a clear margin if you do a lot of
>> parameter validation (short strings). If you additionally only use AntiSamy
>> to avoid malicious data the DOM parser will be even faster if you avoid
>> calling CleanResults#getCleanHTML
>>
>> We also fixed issue 133, 135, 147 & 121. Nekohtml has also been upgraded to
>> avoid all sorts of interesting OOME's and
>> stack overflows. Also, this version no longer depends on xercesImpl,
>> avoiding a whole bunch of interesting conflicts.
>>
>> The internal interfaces have changed quite significantly; the external
>> interfaces have very minor changes that should not affect most users.
>>
>> Enjoy !
>>
>> Kristian
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
> 



More information about the OWASP-Leaders mailing list