Comments (8)
these are my onsiteURL and offsiteURL.
from antisamy.
@spassarop - Can you research and respond?
from antisamy.
name="onsiteURL"
value="^(?!//)(?![\p{L}\p{N}\.#@$%+&;-~,?=/!]*(&colon))[\p{L}\p{N}\.#@$%+&;-~,?=/!]*"
name="offsiteURL"
value="(\s)((ht|f)tp(s?)://|mailto:)[\p{L}\p{N}]+[\p{L}\p{N}\p{Zs}.#@$%+&;:-_~,?=/!()](\s)*"
from antisamy.
from antisamy.
name="onsiteURL"
value="^(?!//)(?![\p{L}\p{N}.#@$%+&;-,?=/!]*(&colon))[\p{L}\p{N}.#@$%+&;-,?=/!()]*"
i tried this with onsiteURL but it did not work, what am i missing here.
from antisamy.
the href contains following js method
'Lx.ui.launchBidAlternateValues(2942);'
from antisamy.
The a tag contained an attribute that we could not process. The href attribute had a value of "Lx.ui.launchBidAlternateValues(2942);". This value could not be accepted for security reasons. We have chosen to remove this attribute from the tag and leave everything else in place so that we could process the input.
i am seeing this error.
from antisamy.
I don't know what your problem is. I tested this:
AntiSamy as = new AntiSamy();
String input = "<a href=\"Lx.ui.launchBidAlternateValues(2942);\">Awning</a>";
System.out.println(as.scan(input, policy, AntiSamy.DOM).getCleanHTML());
System.out.println(String.join("\n", as.scan(input, policy, AntiSamy.DOM).getErrorMessages()));
System.out.println(as.scan(input, policy, AntiSamy.SAX).getCleanHTML());
System.out.println(String.join("\n", as.scan(input, policy, AntiSamy.SAX).getErrorMessages()));
Where policy
is the default AntiSamy policy from antisamy.xml
. Before changing the policy, the output removes the href
attribute as you report, as it should. Then I only when to the policy file and changed:
<regexp name="onsiteURL"
value="^(?!//)(?![\p{L}\p{N}\\\.\#@\$%\+&;\-_~,\?=/!]*(&colon))[\p{L}\p{N}\\\.\#@\$%\+&;\-_~,\?=/!]*" />
To this, as I mentioned in my previous comment (only added brackets):
<regexp name="onsiteURL"
value="^(?!//)(?![\p{L}\p{N}\\\.\#@\$%\+&;\-_~,\?=/!]*(&colon))[\p{L}\p{N}\\\.\#@\$%\+&;\-_~,\?=/!()]*" />
After that, the output is as expected, without removal of href
. From this I have two things to comment:
1- Modifying the policy actually works. Check again.
2- It does not sound correct that you want to admit a JS method (even though that does not work as a JS call without the javascript:
schema) in a library that is created to prevent JS from executing. Think about it.
In conclusion I will close the issue and if there is a valid reason to reopen it, then do it.
from antisamy.
Related Issues (20)
- CVE-2022-24891 HOT 7
- Removing Xerces dependency? HOT 3
- Does Antisamy has support for custom css properties " --* " and css-function " var() " and how to define it in the antisamy policy file? HOT 10
- Enabled noopenerAndNoreferrerAnchors policy drops nofollow HOT 7
- Covering all cases of "rel" attribute in "anchor" tag is quite verbose HOT 3
- Investigate replacing Batik CSS HOT 1
- Dealing with Security Vulnerabilities CVE-2023-26119 HOT 13
- AntiSamy encodes unknown tags despite not being configured that way HOT 6
- GraalVM Support HOT 4
- noopenerAndNoreferrerAnchors policy directive seems disabled by default in 1.7.2 version HOT 2
- How to find if vulnerable script is present in the input HOT 8
- Is there a way to not encode certain HTML Entities? HOT 6
- antisamy:1.7.3 contains batik-css:1.16 that has CVE-2022-44729 vulnerability HOT 1
- Sanitized output for same tainted input differs from AntiSamy 1.7.3 to 1.7.4 HOT 6
- Regex named: "Paragraph", is causing "StackOverFlowError" HOT 8
- the argument 'policy' never be used HOT 1
- Prevent formatting and translation of css HOT 3
- Antisamy 1.7.5 version - <body> tag issue HOT 29
- When my runtime environment is a Chinese encoding environment, the list of error messages returned is garbled HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from antisamy.