[Mashup-dev] HTML sanitation
Yumani Ranaweera
yumani at wso2.com
Thu Jul 3 20:46:33 PDT 2008
Channa,
Are there new tests that you want me to do around the new approach ? Or
can I do a regression run over same functionality..?
Yumani
Channa Gunawardena wrote:
> Hi All,
>
> I've taken out the basic and restrictive JavaScript sanitation I had
> used for bio and comments earlier, and provided a sanitizeHtml method
> in the MashupUtils class which actually wraps AntiSamy
> (http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) a
> profile based HTML sanitation tool, which is BSD licensed.
>
> This was pretty much the best sanitation tool I found out there with
> the features and license we need. All the dependant jars it added to
> our distro are apache licensed, but it does add 3 jars, along with
> it's own code, for a total of 468K. Seems pretty big just to sanitize
> HTML, but with AntiSamy we (and any ultimate user), can change the
> policy XML file in the config directory to make the sanitation as open
> or as paranoid as necessary.
>
> If the increase in download size seems too large and the solution
> seems to be an overkill, we can actually remove AntiSamy and implement
> our own Java based logic in the sanitizeHtml method, but I personally
> would prefer to stay with this.
>
> Bye,
> Channa.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: yumani.vcf
Type: text/x-vcard
Size: 148 bytes
Desc: not available
Url : http://wso2.org/pipermail/mashup-dev/attachments/20080704/e53b1efd/attachment.vcf
More information about the Mashup-dev
mailing list