What steps will reproduce the problem?
1. Add the following script "<a/href=javascript:alert(1)>xyz"
2. antisamy does not sanitize the text correctly
3.
What is the expected output? What do you see instead?
The above script does not get sanitized. It does not identify the anchor tag
with script due to the char '/' between "a" and "href".
Browsers render this correctly and executes the script when
clicked-<a/href=javascript:alert(1)>xyz
What version of the product are you using? On what operating system?
Please provide any additional information below.
In the antisamy-restricted.xml file, following is the policy definition for
anchor tag-
<tag name="a" action="validate">
<!-- onInvalid="filterTag" has been removed as per suggestion at OWASP
SJ 2007 - just "name" is valid -->
<attribute name="href" />
<attribute name="nohref">
<literal-list>
<literal value="nohref"/>
<literal value=""/>
</literal-list>
</attribute>
<attribute name="rel">
<literal-list>
<literal value="nofollow" />
</literal-list>
</attribute>
<attribute name="style" />
<attribute name="target">
<literal-list>
<literal value="_blank" />
</literal-list>
</attribute>
</tag>
Original issue reported on code.google.com by sudeep...@gmail.com on 16 Jun 2015 at 4:59
Original issue reported on code.google.com by
sudeep...@gmail.comon 16 Jun 2015 at 4:59