Comments (5)
I just added the following test case to AntiSamyTest.java and it passes no problem. It includes a test that matches your issue title (ending with />) as well as a test without the / at the end, and then the <style/onload version of the test you described in the 'test case for reference' you provided, which actually looks more like issue #44.
@Test
public void testGithubIssue47() throws PolicyException, ScanException {
assertEquals( "", as.scan("<svg/onload = alert('Hello')>", policy, AntiSamy.SAX).getCleanHTML());
assertEquals( "", as.scan("<svg/onload = alert('Hello')/>", policy, AntiSamy.DOM).getCleanHTML());
assertEquals( "", as.scan("<style/onload = alert(document.domain)>", policy, AntiSamy.SAX).getCleanHTML());
assertEquals( "", as.scan("<style/onload = alert(document.domain)>", policy, AntiSamy.DOM).getCleanHTML());
}
As such, I can't replicate the issue. Can you provide a pull request to AntiSamyTest.java with a failing test case that demonstrates your issue?
from antisamy.
Hey Thanks,
But I am not getting any Scan Security Error CleanResults.getErrorMessages()
as my code is depending on an error we will modify it and that return text.
from antisamy.
@davewichers Do You have any update for it.
from antisamy.
The getErrorMessages()
API does not answer the question "is this safe input?" You must always use the sanitized input. The serialization and deserialization process is purposefully lossy and will filter attacks, but one of the tradeoffs is that we don't have an ability to see them in retrospect.
The JavaDoc and README.md
should be more clear about that, so I think that should be the scope of the ticket.
from antisamy.
The README.md has been updated to be more clear on this, as has the JavaDoc, and these changes have been checked into 'master' in commit 75f9bb4. The JavaDoc changes will also be pushed out in the 1.5.11 release, which we are working on now but in the meantime, the README displayed on github for this project has the latest guidance on how getErrorMessages() works.
from antisamy.
Related Issues (20)
- 2 enhancement HOT 2
- 1 enhancement with api HOT 2
- CVE-2022-24891 HOT 7
- Removing Xerces dependency? HOT 3
- Does Antisamy has support for custom css properties " --* " and css-function " var() " and how to define it in the antisamy policy file? HOT 10
- Enabled noopenerAndNoreferrerAnchors policy drops nofollow HOT 7
- Covering all cases of "rel" attribute in "anchor" tag is quite verbose HOT 3
- Investigate replacing Batik CSS HOT 1
- Dealing with Security Vulnerabilities CVE-2023-26119 HOT 13
- AntiSamy encodes unknown tags despite not being configured that way HOT 6
- GraalVM Support HOT 4
- noopenerAndNoreferrerAnchors policy directive seems disabled by default in 1.7.2 version HOT 2
- How to find if vulnerable script is present in the input HOT 8
- Is there a way to not encode certain HTML Entities? HOT 6
- antisamy:1.7.3 contains batik-css:1.16 that has CVE-2022-44729 vulnerability HOT 1
- Sanitized output for same tainted input differs from AntiSamy 1.7.3 to 1.7.4 HOT 6
- Regex named: "Paragraph", is causing "StackOverFlowError" HOT 8
- the argument 'policy' never be used HOT 1
- antiSamy.scan(input, policy) giving the following as not a valid html. HOT 8
- Prevent formatting and translation of css HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.