andresriancho / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
12 stars 15 forks source link

< entity replaced with < #185

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
I have potentially unsafe string like this:

testxssattack<script>confirm(xssattack)</script>

Why my policy changes < to < ?
Hex format is more safe than HTML entity in my application and i don't want for 
antisamy to make this kind of replacement. Is there any way to change this 
behaviour? Inb4 any answer, directive:

<directive name="entityEncodeIntlChars" value="false"/>

doesn't change anything in this case, neither true nor false.

Original issue reported on code.google.com by braindwe...@gmail.com on 23 Oct 2014 at 2:39