Add support for including policy files

dqw / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy

0 stars 0 forks source link

Add support for including policy files #86

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago

I want to be able to include one AntiSamy policy file within another. That way 
you could max and match rules without having to duplicate them same entries in 
multiple policy files. For example, if you wanted to allow HTML tables in some 
places and not others, you could put all allowable table tags into one policy 
file and just include it in the policy file where tables are appropriate.

I'd like to add support for a construct like the following within the AntiSamy 
policy file:

<anti-samy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xsi:noNamespaceSchemaLocation="antisamy.xsd">

<include href="antiSamy.basicRules.xml"/> 
<include href="antiSamy.tableRules.xml"/>

</anti-samy-rules>

Original issue reported on code.google.com by augu...@gmail.com on 30 Sep 2010 at 11:40

GoogleCodeExporter commented 8 years ago

First draft of a patch to make includes work as described above. It is still a 
bit rough and includes a lot of debug which needs to come out before final 
checkin.

This patch allows for include files to be loaded with paths relative to the 
root document. This works ONLY when the initial policy file is loaded with the 
new getInstance(URL url) factory method: 

    public static Policy getInstance(URL url) throws PolicyException 

NOTE: Only 1 level of include is currently allowed. Recursive includes are not 
supported.

Original comment by augu...@gmail.com on 30 Sep 2010 at 11:55

Attachments:

[Issue 86.diff](https://storage.googleapis.com/google-code-attachments/owaspantisamy/issue-86/comment-1/Issue 86.diff)

GoogleCodeExporter commented 8 years ago

New draft attached: 

- Deprecated InputStream based factory method
- Made other factories ultimately use the URL-based factory
- Modified test case to use URL based factory and also attempt to load policy 
file using InputStream to make sure includes fail nicely
- Cleaned up parseX methods to return void
- Changed encodeTags collection to a Set

Original comment by augu...@gmail.com on 5 Oct 2010 at 11:47

Attachments:

[Issue 86-2.diff](https://storage.googleapis.com/google-code-attachments/owaspantisamy/issue-86/comment-2/Issue 86-2.diff)

GoogleCodeExporter commented 8 years ago

Looks good. Go ahead and commit.

Original comment by arshan.d...@gmail.com on 6 Oct 2010 at 3:23

Changed state: Started

GoogleCodeExporter commented 8 years ago

Code checked in to SVN.

Original comment by augu...@gmail.com on 6 Oct 2010 at 7:32

Changed state: Fixed