Comments (6)
OK. I started researching this yesterday but I can't replicate the misbehavior. This is what I'm seeing for the very first example under NOT Sanitized by AntiSamy:
Original:
<li><a href="javascript:x=alert,x%281%29">X:x</a></li>
getCleanHTML() Output:
<li><a href="javascript&#00058x=alert,x%281%29" rel="nofollow">X:x</a></li>
And when I click on that link in (Chrome, FF, IE), I get a similar error in all of them:
File Not Found for: PATH/TO/javascript:x=alert,x(1)
I'm using a slightly newer version of Chrome to test (73), and I'm simply copying the output of AntiSamy into a local HTML file and loading it in the browser. Am I doing something wrong in the way I'm testing this? Seems to me that the encoding of the & to &
in the encoded colon (:
) would now make that safe.
from antisamy.
And then for the first 'tricky' test, I'm seeing this:
Original:
<li><a href="javascript&#x3Ax=alert,x%281%29">X&#x3A;x</a></li>
getCleanHTML() Output:
<li><a href="javascript&#x3Ax=alert,x%281%29" rel="nofollow">X&#x3A;x</a></li>
And I'm not seeing the &
get decoded, so nothing dangerous here either.
from antisamy.
Thanks @davewichers
Am I doing something wrong in the way I'm testing this?
Seems perfectly fine.
Seems to me that the encoding of the & to
&
in the encoded colon (:) would now make that safe.
That sounds correct.
Let me repeat these tests again with a standard configuration and report back.
from antisamy.
@faf0-addepar - Just to be perfectly clear, I didn't fix/change AntiSamy in any way. It already encoded the & the way I describe above.
from antisamy.
@davewichers - thanks for the info. It's possible that I misconfigured AntiSamy on my end when I compiled this list.
from antisamy.
OK. I'm closing this then as 'invalid', but if you figure out how to make this bypass work, let us know! Hopefully you can't :-). If you do, I'll reopen.
from antisamy.
Related Issues (20)
- Improve Unit Test Coverage
- how to edit the antisamy.xml to support the css-style "-webkit-border-radius" or "-moz-border-radius" HOT 6
- require-closing-tags is not supported by antsamy.xsd HOT 5
- Change in behavior between 1.6.4 and 1.6.5 for getErrorMessages HOT 7
- Commit details for CVE-2022-28366? HOT 4
- Remove all deprecated APIs/features in prep for 1.7.0 release HOT 1
- ASHTMLSerializer uses deprecated HTMLSerializer. Replace with TrAX.
- AntiSamy converting single quotes to double quotes for font-family which is causing issue while rendering HOT 6
- AntiSamy not detecting XSS for anchor tag HOT 10
- CssHandler test case failure on Windows HOT 5
- Incorrect 'Contributing' link on OWASP wiki page HOT 1
- Javadoc cleanup
- 2 enhancement HOT 2
- 1 enhancement with api HOT 2
- CVE-2022-24891 HOT 7
- Removing Xerces dependency? HOT 3
- Does Antisamy has support for custom css properties " --* " and css-function " var() " and how to define it in the antisamy policy file? HOT 10
- Enabled noopenerAndNoreferrerAnchors policy drops nofollow HOT 7
- Covering all cases of "rel" attribute in "anchor" tag is quite verbose HOT 3
- Investigate replacing Batik CSS HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from antisamy.