[Owasp-leaders] AntiSamy

Ryan Barnett ryan.barnett at owasp.org
Mon Feb 4 00:05:38 UTC 2013


Anyone ever consider a project name change here?  Veterans of the webappsec realm remember what Samy did and its wake up call but the project's name doesn't make it quickly clear to new-comers.  

If you are going for wider adoption it is something to consider. 

--
Ryan Barnett


On Feb 3, 2013, at 1:16 PM, Jason Johnson <jason.johnson at owasp.org> wrote:

> I noticed and I agree, most of the devs I know do not validate. Im think that if I can show the benefits of this it could be adopted as a standard federally. AntiSamy as a whole not just the .NET.
> 
> Jason
> On Feb 3, 2013, at 12:12 PM, Jim Manico wrote:
> 
>> The Microsoft AntiXSS .NET function that provides HTML validation does not provide advanced policy configuration like AntiSamy.
>> 
>> So while I think most .NET coders will use the default API (at best), I do think a .NET AntiSamy is still important.
>> 
>> My 2 cents,
>> Jim
>> 
>> 
>> 
>>> I am aswell, is the .NET project still needing attention or is the MS
>>> version superseded. We could improve on it?
>>> 
>>> Thoughts?
>>> On Feb 3, 2013 11:44 AM, "Jim Manico" <jim.manico at owasp.org> wrote:
>>> 
>>>> I'm very excited to see the AntiSamy projects recent update! Nice work,
>>>> folks.
>>>> 
>>>> https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
>>>> 
>>>> *****
>>>> 
>>>> After over a year, version 1.5 is finally released!
>>>> 
>>>> This version requires java 1.5.
>>>> 
>>>> 1.5 promises to be significantly faster than previous releases; your
>>>> mileage will vary anything from just some percent to a full 5 times faster,
>>>> depending on use cases. A lot of attention has been put to typical "server"
>>>> validation cases in this release.
>>>> 
>>>> The DOM parser is still the fastest by a clear margin if you do a lot of
>>>> parameter validation (short strings). If you additionally only use AntiSamy
>>>> to avoid malicious data the DOM parser will be even faster if you avoid
>>>> calling CleanResults#getCleanHTML
>>>> 
>>>> We also fixed issue 133, 135, 147 & 121. Nekohtml has also been upgraded to
>>>> avoid all sorts of interesting OOME's and
>>>> stack overflows. Also, this version no longer depends on xercesImpl,
>>>> avoiding a whole bunch of interesting conflicts.
>>>> 
>>>> The internal interfaces have changed quite significantly; the external
>>>> interfaces have very minor changes that should not affect most users.
>>>> 
>>>> Enjoy !
>>>> 
>>>> Kristian
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list