andresriancho / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
12 stars 15 forks source link

Empty <div> or <span> tags in input are malformed on output of scan().getCleanHTML() using AntiSamy.SAX #151

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Policy:
Any of the defaults; bug manifests in all of them

Input:
<div></div>

Code:
String input = "<div></div>";
String html = new AntiSamy().antisamy.scan(input, policy, 
AntiSamy.SAX).getCleanHTML();

Output:
<div</div>

This defect can break any page on which the the sanitized markup is rendered, 
as browsers cannot gracefully deal with this. Adding <div> or <span> to the 
allowed empty tag configs does not help- it will render them as <div /> or 
<span />, which are similarly poorly handled by the browser.

Original issue reported on code.google.com by seid...@gmail.com on 31 Jan 2013 at 7:36

GoogleCodeExporter commented 9 years ago
Which version of antisamy does this apply to ? It does not seem to apply to 1.5 
?

Original comment by kristian...@gmail.com on 14 Feb 2013 at 5:40

GoogleCodeExporter commented 9 years ago
This is present in version 1.4.5.

Original comment by seid...@gmail.com on 14 Feb 2013 at 6:43