[Mashup-dev] HTML sanitation
Channa Gunawardena
channa at wso2.com
Thu Jul 3 21:32:50 PDT 2008
Hi Yumani,
Yes, if you can try some potentially malicious code in HTML that you use
for the user bio and comments, we can verify the actual functionality of
the Sanitation code and also determine if the sanitation policy is
strict enough.
If you google for XSS, the top link after the wikipedia entry is
actually a good resource for all sorts of tricks that we should be
protected from now!
Bye,
Channa.
Yumani Ranaweera wrote:
> Channa,
>
> Are there new tests that you want me to do around the new approach ?
> Or can I do a regression run over same functionality..?
>
> Yumani
>
>
>
>
>
> Channa Gunawardena wrote:
>> Hi All,
>>
>> I've taken out the basic and restrictive JavaScript sanitation I had
>> used for bio and comments earlier, and provided a sanitizeHtml method
>> in the MashupUtils class which actually wraps AntiSamy
>> (http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) a
>> profile based HTML sanitation tool, which is BSD licensed.
>>
>> This was pretty much the best sanitation tool I found out there with
>> the features and license we need. All the dependant jars it added to
>> our distro are apache licensed, but it does add 3 jars, along with
>> it's own code, for a total of 468K. Seems pretty big just to sanitize
>> HTML, but with AntiSamy we (and any ultimate user), can change the
>> policy XML file in the config directory to make the sanitation as
>> open or as paranoid as necessary.
>>
>> If the increase in download size seems too large and the solution
>> seems to be an overkill, we can actually remove AntiSamy and
>> implement our own Java based logic in the sanitizeHtml method, but I
>> personally would prefer to stay with this.
>>
>> Bye,
>> Channa.
>>
> _______________________________________________
> Mashup-dev mailing list
> Mashup-dev at wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/mashup-dev
>
--
********************************************
Channa Gunawardena
Technical Lead, WSO2 Inc.
channa at wso2.com; http://channa.gunawardena.org; +94 71 306 2722
"The Open Source SOA Company", http://wso2.com
More information about the Mashup-dev
mailing list