[Owasp-leaders] Important ESAPI announcement regarding CVE-2016-10006

Kevin W. Wall kevin.w.wall at gmail.com
Sat Sep 30 21:15:46 UTC 2017

I sent this out last week to the ESAPI Dev and ESAPI Users mailing
lists, but some suggested that I send it here as well in order to get
the word out.

If you are using the Validators in ESAPI or earlier, please listen up.

ESAPI uses a version of AntiSamy prior to 1.5.5, which
according to NIST's National Vulnerability Database is vulnerable to
CVE-2016-10006.  (See

CVE-2016-10006 refers to an vulnerability in AntiSamy (before 1.5.5)
that allows a special style tag as input that bypasses AntiSamy's
sanitization, resulting in XSS.

If you are using either of ESAPI's two Validator.getValidSafeHTML()
methods or the HTMLValidationRule.getValid() or
HTMLValidationRule.sanitize() methods along with a version of AntiSamy
prior to 1.5.5, then your ESAPI instance is exploitable to this to
CVE-2016-10006 vulnerability. (By default, ESAPI uses AntiSamy
1.5.3, which is a vulnerable version of AntiSamy.  Earlier versions of
ESAPI use even earlier versions of AntiSamy.)

The next release of ESAPI will be using AntiSamy 1.5.6, which will
automatically fix this, but that release likely will not be out for a
month or two, so you should immediately MANUALLY download and install
AntiSamy 1.5.5 or later and use it with ESAPI. (Note that ESAPI 2.x
will work with AntiSamy 1.5.5 and 1.5.6.)

We will be updating the OWASP ESAPI wiki page (and perhaps the ESAPI
README.md file) in a day or two, but I wanted to get the word out now.
I naively thought everyone used OWASP Dependency Check by now and thus
was aware of this, so apologies if you were not aware.

I believe Arshan is also planning for an announcement in the next few
days regarding this as well for AntiSamy, if he has not already done

Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.

More information about the OWASP-Leaders mailing list