[Owasp-leaders] AntiSamy

Dinis Cruz dinis.cruz at owasp.org
Sun Feb 3 22:04:50 UTC 2013


Actually on the .NET world we should be exploring the SRE - Security
Runtime Engine (part of the Anti-XSS world) which is a spectacular way to
inject 'auto-encoding' into .NET apps:

see http://wpl.codeplex.com/

Interestingly, the latest version of MS AntiXSS is so strong in its
secure-by-default, that it pissed of a lot of developers (including
yours truly)

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2


On 3 February 2013 18:16, Jason Johnson <jason.johnson at owasp.org> wrote:

> I noticed and I agree, most of the devs I know do not validate. Im think
> that if I can show the benefits of this it could be adopted as a standard
> federally. AntiSamy as a whole not just the .NET.
>
> Jason
> On Feb 3, 2013, at 12:12 PM, Jim Manico wrote:
>
> > The Microsoft AntiXSS .NET function that provides HTML validation does
> not provide advanced policy configuration like AntiSamy.
> >
> > So while I think most .NET coders will use the default API (at best), I
> do think a .NET AntiSamy is still important.
> >
> > My 2 cents,
> > Jim
> >
> >
> >
> >> I am aswell, is the .NET project still needing attention or is the MS
> >> version superseded. We could improve on it?
> >>
> >> Thoughts?
> >> On Feb 3, 2013 11:44 AM, "Jim Manico" <jim.manico at owasp.org> wrote:
> >>
> >>> I'm very excited to see the AntiSamy projects recent update! Nice work,
> >>> folks.
> >>>
> >>> https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
> >>>
> >>> *****
> >>>
> >>> After over a year, version 1.5 is finally released!
> >>>
> >>> This version requires java 1.5.
> >>>
> >>> 1.5 promises to be significantly faster than previous releases; your
> >>> mileage will vary anything from just some percent to a full 5 times
> faster,
> >>> depending on use cases. A lot of attention has been put to typical
> "server"
> >>> validation cases in this release.
> >>>
> >>> The DOM parser is still the fastest by a clear margin if you do a lot
> of
> >>> parameter validation (short strings). If you additionally only use
> AntiSamy
> >>> to avoid malicious data the DOM parser will be even faster if you avoid
> >>> calling CleanResults#getCleanHTML
> >>>
> >>> We also fixed issue 133, 135, 147 & 121. Nekohtml has also been
> upgraded to
> >>> avoid all sorts of interesting OOME's and
> >>> stack overflows. Also, this version no longer depends on xercesImpl,
> >>> avoiding a whole bunch of interesting conflicts.
> >>>
> >>> The internal interfaces have changed quite significantly; the external
> >>> interfaces have very minor changes that should not affect most users.
> >>>
> >>> Enjoy !
> >>>
> >>> Kristian
> >>>
> >>>
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>
> >>>
> >>
> >
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130203/ea1dd1fb/attachment.html>


More information about the OWASP-Leaders mailing list