Comments (7)
What do you mean by it fails? It doesn't notice this at all? It strips it silently? It crashes?
What exactly do you want AntiSamy to do in this situation, as compared to what it does now?
from antisamy.
What do you mean by it fails? It doesn't notice this at all? It strips it silently? It crashes?
What exactly do you want AntiSamy to do in this situation, as compared to what it does now?
Can you check the test case which I have given.
<style/onload=alert(document.domain)> is not getting clean html. After Scan.
from antisamy.
from antisamy.
I just added a GitHub Action that will automatically run
mvn test
after a push. Can you open a branch with this failing test case?
…
On Wed, Jun 10, 2020 at 9:19 PM satishraikwar @.***> wrote: What do you mean by it fails? It doesn't notice this at all? It strips it silently? It crashes? What exactly do you want AntiSamy to do in this situation, as compared to what it does now? Can you check the test case which I have given. <style/onload=alert(document.domain)> is not getting clean html. After Scan. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#44 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAG6R6U6HG6R2LOUWTSFGMLRWAWL3ANCNFSM4N2FEAJA .
Sure 👍
from antisamy.
from antisamy.
OK. I created a new branch at: https://github.com/nahsra/antisamy/tree/issue44 which incorporates what it looks like @satishraikwar was trying to do. @nahsra - the results are a bit weird to me as well. I created 2 HTML strings (test44a & b) that incorporate the style of concern <style/onload=alert(document.domain)>
.
In both cases, the resulting 'clean' HTML strips out this style (which is good I think). But in the first case an error message is created:
[The stylesheet code "</li> </ol> </body> </html>" could not be parsed.]
But in the second case, with simply a SPACE character after the style snippet, no error message is thrown. I also manually tried a much simpler HTML snippet and got similar results, except the error message was thrown in the snippet w/out the space instead of the one with the space.
@satishraikwar - given this test code, what are you expecting AntiSamy to do? I think in both cases it returns the correct HTML, but in only 1 case does it return an error message, which I do agree is probably not correct. And I think the error message is related to what's left in the document, not the <style >
tag that was stripped out, even though what is left in the document is retained in the clean HTML.
from antisamy.
The getErrorMessages()
API does not answer the question "is this safe input?" You must always use the sanitized input. The serialization and deserialization process is purposefully lossy and will filter attacks, but one of the tradeoffs is that we don't have an ability to see them in retrospect.
I am marking this as a dupe of issue #47.
from antisamy.
Related Issues (20)
- Javadoc cleanup
- 2 enhancement HOT 2
- 1 enhancement with api HOT 2
- CVE-2022-24891 HOT 7
- Removing Xerces dependency? HOT 3
- Does Antisamy has support for custom css properties " --* " and css-function " var() " and how to define it in the antisamy policy file? HOT 10
- Enabled noopenerAndNoreferrerAnchors policy drops nofollow HOT 7
- Covering all cases of "rel" attribute in "anchor" tag is quite verbose HOT 3
- Investigate replacing Batik CSS HOT 1
- Dealing with Security Vulnerabilities CVE-2023-26119 HOT 13
- AntiSamy encodes unknown tags despite not being configured that way HOT 6
- GraalVM Support HOT 4
- noopenerAndNoreferrerAnchors policy directive seems disabled by default in 1.7.2 version HOT 2
- How to find if vulnerable script is present in the input HOT 8
- Is there a way to not encode certain HTML Entities? HOT 6
- antisamy:1.7.3 contains batik-css:1.16 that has CVE-2022-44729 vulnerability HOT 1
- Sanitized output for same tainted input differs from AntiSamy 1.7.3 to 1.7.4 HOT 6
- Regex named: "Paragraph", is causing "StackOverFlowError" HOT 8
- the argument 'policy' never be used HOT 1
- antiSamy.scan(input, policy) giving the following as not a valid html. HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from antisamy.