This sounds like a fun converstion keep me in the loop!!!<br><br>
<div class="gmail_quote">2009/4/1 Arshan Dabirsiaghi <span dir="ltr">&lt;<a href="mailto:arshan.dabirsiaghi@aspectsecurity.com">arshan.dabirsiaghi@aspectsecurity.com</a>&gt;</span><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div lang="EN-US" vlink="purple" link="blue">
<div>
<p>He claims here that he has 2 proofs of concept for bypassing AntiSamy:</p>
<p>†</p>
<p><a href="http://blog.engineeringforfun.com/hacking-related/bypassing-owasps-antisamy.html" target="_blank">http://blog.engineeringforfun.com/hacking-related/bypassing-owasps-antisamy.html</a></p>
<p>†</p>
<p>Yet when I try both the vectors on my public-please-hack-me test page, they fail:</p>
<p>†</p>
<p><a href="http://i8jesus.com:9080/AntiSamyDemoWebApp/test.jsp?profile=Proof+of+concept%0D%0A%3Ca+-+href%3D%22%2F%22+onmouseover%3D%22javascript%3Aalert%281%29%22%3Elink%3C%2Fa%3E%0D%0A%3Cimg+.+src%3D%25" target="_blank">http://i8jesus.com:9080/AntiSamyDemoWebApp/test.jsp?profile=Proof+of+concept%0D%0A%3Ca+-+href%3D%22%2F%22+onmouseover%3D%22javascript%3Aalert%281%29%22%3Elink%3C%2Fa%3E%0D%0A%3Cimg+.+src%3D%</a></p>

<p>†</p>
<p>Comments are bizarrely turned off on his blog and I canít find his email. Iím trying to temper my irritation in case he actually has something, but the prospect of an OWASPer trying to ďoutĒ another OWASPer with non-reproducible slander is <i>very</i> disappointing.</p>

<p>†</p><font color="#888888">
<p>Arshan</p></font></div></div><br>_______________________________________________<br>OWASP-Leaders mailing list<br><a href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br><a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Eoin Keary CISSP CISA<br><a href="https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference">https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference</a><br>
<br>OWASP Code Review Guide Lead Author<br>OWASP Ireland Chapter Lead<br>OWASP Global Committee Member (Industry)<br><br>Quis custodiet ipsos custodes<br>