Filter Bypasses about antisamy HOT 6 CLOSED

OK. I started researching this yesterday but I can't replicate the misbehavior. This is what I'm seeing for the very first example under NOT Sanitized by AntiSamy:

Original:
<li><a href="javascript&#00058x=alert,x%281%29">X&#00058;x</a></li>

getCleanHTML() Output:
<li><a href="javascript&amp;#00058x=alert,x%281%29" rel="nofollow">X:x</a></li>

And when I click on that link in (Chrome, FF, IE), I get a similar error in all of them:
File Not Found for: PATH/TO/javascript&#00058x=alert,x(1)

I'm using a slightly newer version of Chrome to test (73), and I'm simply copying the output of AntiSamy into a local HTML file and loading it in the browser. Am I doing something wrong in the way I'm testing this? Seems to me that the encoding of the & to & in the encoded colon (&#00058) would now make that safe.

from antisamy.

And then for the first 'tricky' test, I'm seeing this:

Original:
<li><a href="javascript&amp;#x3Ax=alert,x%281%29">X&amp;#x3A;x</a></li>

getCleanHTML() Output:
<li><a href="javascript&amp;#x3Ax=alert,x%281%29" rel="nofollow">X&amp;#x3A;x</a></li>

And I'm not seeing the & get decoded, so nothing dangerous here either.

from antisamy.

Thanks @davewichers

Am I doing something wrong in the way I'm testing this?

Seems perfectly fine.

Seems to me that the encoding of the & to & in the encoded colon (&#58) would now make that safe.

That sounds correct.

Let me repeat these tests again with a standard configuration and report back.

from antisamy.

@faf0-addepar - Just to be perfectly clear, I didn't fix/change AntiSamy in any way. It already encoded the & the way I describe above.

from antisamy.

@davewichers - thanks for the info. It's possible that I misconfigured AntiSamy on my end when I compiled this list.

from antisamy.

OK. I'm closing this then as 'invalid', but if you figure out how to make this bypass work, let us know! Hopefully you can't :-). If you do, I'll reopen.

from antisamy.