antiSamy.scan(input, policy) giving the following as not a valid html. about antisamy HOT 8 CLOSED

these are my onsiteURL and offsiteURL.

from antisamy.

@spassarop - Can you research and respond?

from antisamy.

name="onsiteURL"
value="^(?!//)(?![\p{L}\p{N}\.#@$%+&;-~,?=/!]*(&colon))[\p{L}\p{N}\.#@$%+&;-~,?=/!]*"

name="offsiteURL"
value="(\s)((ht|f)tp(s?)://|mailto:)[\p{L}\p{N}]+[\p{L}\p{N}\p{Zs}.#@$%+&;:-_~,?=/!()](\s)*"

from antisamy.

from antisamy.

name="onsiteURL"
value="^(?!//)(?![\p{L}\p{N}.#@$%+&;-,?=/!]*(&colon))[\p{L}\p{N}.#@$%+&;-,?=/!()]*"

i tried this with onsiteURL but it did not work, what am i missing here.

from antisamy.

the href contains following js method
'Lx.ui.launchBidAlternateValues(2942);'

from antisamy.

The a tag contained an attribute that we could not process. The href attribute had a value of "Lx.ui.launchBidAlternateValues(2942);". This value could not be accepted for security reasons. We have chosen to remove this attribute from the tag and leave everything else in place so that we could process the input.

i am seeing this error.

from antisamy.

I don't know what your problem is. I tested this:

AntiSamy as = new AntiSamy();
String input = "<a href=\"Lx.ui.launchBidAlternateValues(2942);\">Awning</a>";
System.out.println(as.scan(input, policy, AntiSamy.DOM).getCleanHTML());
System.out.println(String.join("\n", as.scan(input, policy, AntiSamy.DOM).getErrorMessages()));
System.out.println(as.scan(input, policy, AntiSamy.SAX).getCleanHTML());
System.out.println(String.join("\n", as.scan(input, policy, AntiSamy.SAX).getErrorMessages()));

Where policy is the default AntiSamy policy from antisamy.xml. Before changing the policy, the output removes the href attribute as you report, as it should. Then I only when to the policy file and changed:

<regexp name="onsiteURL"
            value="^(?!//)(?![\p{L}\p{N}\\\.\#@\$%\+&amp;;\-_~,\?=/!]*(&amp;colon))[\p{L}\p{N}\\\.\#@\$%\+&amp;;\-_~,\?=/!]*" />

To this, as I mentioned in my previous comment (only added brackets):

<regexp name="onsiteURL"
            value="^(?!//)(?![\p{L}\p{N}\\\.\#@\$%\+&amp;;\-_~,\?=/!]*(&amp;colon))[\p{L}\p{N}\\\.\#@\$%\+&amp;;\-_~,\?=/!()]*" />

After that, the output is as expected, without removal of href. From this I have two things to comment:
1- Modifying the policy actually works. Check again.
2- It does not sound correct that you want to admit a JS method (even though that does not work as a JS call without the javascript: schema) in a library that is created to prevent JS from executing. Think about it.

In conclusion I will close the issue and if there is a valid reason to reopen it, then do it.

from antisamy.