search

ESAPI / esapi-java-legacy

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
https://owasp.org/www-project-enterprise-security-api/
Other
610 stars 368 forks source link

when i call the api 'ESAPI.validator().getValidSafeHTML' with mixed encoding input, the mixed input willed be filtered. #645

Open wangyun2018 opened 2 years ago

wangyun2018 commented 2 years ago

1.when i call the api "ESAPI.validator().getValidSafeHTML" with input is 

"<html>
<table>
    <tbody>
    <tr>
        <td><p>\n This administrative email\n is being sent to you from Rockstar Games, 622 Broadway, NY, NY 10012. If
            you\n want the early word on all Rockstar game announcements, official launches,\n contests, special events,
            and more <a href=\"https://socialclub.rockstargames.com/settings/email?utm_source=Social%20Club&amp;utm_medium=Email&amp;utm_campaign=Administrative%20Emails&amp;utm_content=en\">subscribe\n
                to the Rockstar Games Mailing List</a>.<p>
        </td>
    </tr>
    </tbody>
</table>
</html>"

the result is "<table> <tbody> <tr> <td><p> This administrative email is being sent to you from Rockstar Games, 622 Broadway, NY, NY 10012. If you want the early word on all Rockstar game announcements, official launches, contests, special events, and more subscribe to the Rockstar Games Mailing List.</p><p> </p></td> </tr> </tbody> </table>"

and the 'a' tag is missing.

  1. i have set the 'a' tag in whiteList in antisamy.xml and set Encoder.AllowMixedEncoding=true
  2. i want to know how to make the result contains 'a' tag
xeno6696 commented 2 years ago

So first and foremost:  Your intended input isn't translating very well across email.  Could you drop it in a github gist or include the sample as a text attachment?  in my view here there is no "a" tag in the input to start with.

On 12/3/2021 1:28 AM, wangyun2018 wrote:

1.when i call the api "ESAPI.validator().getValidSafeHTML" with input is "

\n This administrative email\n is being sent to you from Rockstar Games, 622 Broadway, NY, NY 10012. If you\n want the early word on all Rockstar game announcements, official launches,\n contests, special events, and more subscribe\n to the Rockstar Games Mailing List.

"

the result is "

This administrative email is being sent to you from Rockstar Games, 622 Broadway, NY, NY 10012. If you want the early word on all Rockstar game announcements, official launches, contests, special events, and more subscribe to the Rockstar Games Mailing List.

"

and the 'a' tag is missing.

  1. i have set the 'a' tag in whiteList in antisamy.xml and set Encoder.AllowMixedEncoding=true
  2. i want to know how to make the result contains 'a' tag

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ESAPI/esapi-java-legacy/issues/645, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACIQAQK6S4RXYQCYJ3FSLOTUPB5S7ANCNFSM5JJDSYEQ. Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

wangyun2018 commented 2 years ago

the input file is below

input.txt and the result is below after calling ESAPI.validator().getValidSafeHTML

result.txt

and the 'a' tag is missing

xeno6696 commented 2 years ago

oh wow... for some reason when this came in I completely missed this was github and thought it was hitting the main mailing list. My apologies. I'll try and reproduce.

kwwall commented 2 years ago

May want to try with the latest version of AntiSamy. There's been some updates in it that might fix the issue.

-kevin

On Tue, Dec 7, 2021, 10:04 PM Matt Seil @.***> wrote:

oh wow... for some reason when this came in I completely missed this was github and thought it was hitting the main mailing list. My apologies. I'll try and reproduce.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ESAPI/esapi-java-legacy/issues/645#issuecomment-988454135, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PG25WIPVEYQAZUSZD7LUP3DLLANCNFSM5JJDSYEQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

simon0117 commented 2 years ago

@wangyun2018 did this get resolved? Can you provide the AntiSamy XML you are using? It does seem like an AntiSamy issue, not an ESAPI one. What is the reason to enable the strongly discouraged mixed encoding?

xeno6696 commented 2 years ago

@wangyun2018 I'm in a mode where I can debug this, but I need the relevant antisamy configs to minimize the time it takes to match your config. I would understand that you wouldn't want to publish the entire whitelist, but at minimum I need those href tag configs.

By default ESAPI is configured like this:

        <tag name="a" action="validate">

            <attribute name="href" onInvalid="filterTag"/>
            <attribute name="nohref">
                <literal-list>
                    <literal value="nohref"/>
                    <literal value=""/>
                </literal-list>
            </attribute>
            <attribute name="rel">
                <literal-list>
                    <literal value="nofollow"/>
                </literal-list>
            </attribute>
        </tag>
kwwall commented 2 years ago

@xeno6696 - Note: to test this in JUnit, you will have to create a custom AntiSamy XML policy file and drop it under 'src/test/resources' and load it with HTMLValidationRule.loadAntisamyPolicy("Name_of_your_policy_file") from your JUnit test. We already do that in 1 or 2 tests so you can follow them as an example.

xeno6696 commented 2 years ago

Yeah I'm good: It's ready to go, I just need the proper inputs to see whether or not this is something I can help with.

I suspect it's AntiSamy as well but stranger things have happened.

kwwall commented 2 years ago

@xeno6696 - My guess, if it's not AntiSamy, it's one of the parsers that they are using. If the latter, it will not be fixed.

@wangyun2018 - Can you attach the AntiSamy XML policy file fragment that Matt asked for so we can try to get this wrapped up? Thanks!