[Owasp-leaders] AntiSamy

Jim Manico jim.manico at owasp.org
Sun Feb 3 22:39:28 UTC 2013


Dinis,

SRE only does encoding when it see's the context of display, this is cool. But we are talking about a different use case : HTML input from widgets like TinyMCE and CKEditor. 

Take a look at the HtmlSanitizationLibrary assembly found in the 4.x AntiXss library. 

content = Sanitizer.GetSafeHtml(userInput);

Now this API is decent, but it's not configurable and is currently *too* secure. It also has a history of bypasses http://blog.watchfire.com/wfblog/2012/01/microsoft-anti-xss-library-bypass.html. Those bypasses are fixed, but at the expense of being way to tight of a ruleset around HTML validation in the current version.

I would recommend considering Stephen Walthers work here: http://htmlagilitypack.codeplex.com/  

More information on why this is important is can be found here:

http://stephenwalther.com/archive/2012/06/25/announcing-the-june-2012-release-of-the-ajax-control-toolkit.aspx 

SRE is not going to help you here.

- Jim
@Manicode

> Actually on the .NET world we should be exploring the SRE - Security
> Runtime Engine (part of the Anti-XSS world) which is a spectacular way to
> inject 'auto-encoding' into .NET apps:
> 
> see http://wpl.codeplex.com/
> 
> Interestingly, the latest version of MS AntiXSS is so strong in its
> secure-by-default, that it pissed of a lot of developers (including
> yours truly)
> 
> Dinis Cruz
> 
> Blog: http://diniscruz.blogspot.com
> Twitter: http://twitter.com/DinisCruz
> Web: http://www.owasp.org/index.php/O2
> 
> 
> On 3 February 2013 18:16, Jason Johnson <jason.johnson at owasp.org> wrote:
> 
>> I noticed and I agree, most of the devs I know do not validate. Im think
>> that if I can show the benefits of this it could be adopted as a standard
>> federally. AntiSamy as a whole not just the .NET.
>>
>> Jason
>> On Feb 3, 2013, at 12:12 PM, Jim Manico wrote:
>>
>>> The Microsoft AntiXSS .NET function that provides HTML validation does
>> not provide advanced policy configuration like AntiSamy.
>>>
>>> So while I think most .NET coders will use the default API (at best), I
>> do think a .NET AntiSamy is still important.
>>>
>>> My 2 cents,
>>> Jim
>>>
>>>
>>>
>>>> I am aswell, is the .NET project still needing attention or is the MS
>>>> version superseded. We could improve on it?
>>>>
>>>> Thoughts?
>>>> On Feb 3, 2013 11:44 AM, "Jim Manico" <jim.manico at owasp.org> wrote:
>>>>
>>>>> I'm very excited to see the AntiSamy projects recent update! Nice work,
>>>>> folks.
>>>>>
>>>>> https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
>>>>>
>>>>> *****
>>>>>
>>>>> After over a year, version 1.5 is finally released!
>>>>>
>>>>> This version requires java 1.5.
>>>>>
>>>>> 1.5 promises to be significantly faster than previous releases; your
>>>>> mileage will vary anything from just some percent to a full 5 times
>> faster,
>>>>> depending on use cases. A lot of attention has been put to typical
>> "server"
>>>>> validation cases in this release.
>>>>>
>>>>> The DOM parser is still the fastest by a clear margin if you do a lot
>> of
>>>>> parameter validation (short strings). If you additionally only use
>> AntiSamy
>>>>> to avoid malicious data the DOM parser will be even faster if you avoid
>>>>> calling CleanResults#getCleanHTML
>>>>>
>>>>> We also fixed issue 133, 135, 147 & 121. Nekohtml has also been
>> upgraded to
>>>>> avoid all sorts of interesting OOME's and
>>>>> stack overflows. Also, this version no longer depends on xercesImpl,
>>>>> avoiding a whole bunch of interesting conflicts.
>>>>>
>>>>> The internal interfaces have changed quite significantly; the external
>>>>> interfaces have very minor changes that should not affect most users.
>>>>>
>>>>> Enjoy !
>>>>>
>>>>> Kristian
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
> 



More information about the OWASP-Leaders mailing list