Closed GoogleCodeExporter closed 9 years ago
The larger issue of relying on getErrorMessages().size() as an indication of
input safety is a misuse of the API, and I'm not sure I can do anything about
that. We give error messages to try to help the user massage their input, not
tell the site owner how many possible attacks are in the payload.
We will continue to try to make error messages appear for all the missteps in
the cleanup process. However, the error messages will never be a yardstick for
the input's safety.
To me, this is like blaming the guy who made the shield when the knight was
holding it sideways and left-handed. Can you tell I played D&D?
Original comment by arshan.d...@gmail.com
on 22 Oct 2012 at 2:29
So I understand that developers should only trust getcleanHTML() and use
getErrorMessages() for additional info if any.
And I completely understand that now. So I think it would be better to educate
the developers about how they implement and use AntiSamy.
Am just curious whether you have talked about this substantially in any part of
the documentation?
Original comment by ahamedna...@gmail.com
on 23 Oct 2012 at 5:41
Original issue reported on code.google.com by
ahamedna...@gmail.com
on 22 Oct 2012 at 11:09