java.lang.NoClassDefFoundError when using the antisamy-1.4.1.xml policy file

fmorote / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy

0 stars 0 forks source link

java.lang.NoClassDefFoundError when using the antisamy-1.4.1.xml policy file #95

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

What steps will reproduce the problem?
1. set the policy file to antisamy-1.4.1.xml
2. try to clean the following code:
<div style="background:url('javascript:alert('xss 2')')">Some bad HTML!</div>
3. You get an error: java.lang.NoClassDefFoundError: 
org/apache/commons/httpclient/HttpContentTooLargeException

What is the expected output? What do you see instead?

Cleaned HTML

What version of the product are you using? On what operating system?

1.4.1 on Windows server 2003 or Windows Vista

Please provide any additional information below.

This works fine with the antisamy-slashdot-1.4.1.xml, but this prolicy file is 
way more restrictive and removes a lot of the user code like a simple img tag.

Original issue reported on code.google.com by huba...@gmail.com on 22 Nov 2010 at 10:11

GoogleCodeExporter commented 9 years ago

I get the same error when using "style" inline with the div.  I am trying to 
make it accept inline CSS as well as <style> tag with CSS. I have been trying 
to figure this out for a couple weeks.

Original comment by jtra...@gmail.com on 1 Dec 2010 at 2:07

GoogleCodeExporter commented 9 years ago

I get the same error. I want to use the library in combination with Confluence 
Wiki for developing a plugin. And the error occurs when I put an <style> - 
Element in snippet that should clean from Antisamy.

Original comment by nmaas...@googlemail.com on 6 Dec 2010 at 10:14

GoogleCodeExporter commented 9 years ago

You need all of AntiSamy's dependencies. When you want to use stylesheet 
validation the library looks up Apache Commons HTTP library - something it 
needs to do offsite CSS retrieval.

The required dependencies are as follows:
* Apache Xerces 2.8.1
* Apache Batik-CSS 1.7
* NekoHTML 1.9.12
* Apache Commons HTTP-Client 3.1

Original comment by arshan.d...@gmail.com on 6 Dec 2010 at 6:13

Changed state: Invalid

GoogleCodeExporter commented 9 years ago

This may help anyone running AntiSamy in a Maven build.

To get this working I also had to explicitly import Batik (it only showed up as 
a problem once we were validating some allowed CSS).
<!-- AntiSamy itself -->
<dependency>
    <groupId>org.owasp.antisamy</groupId>
    <artifactId>antisamy</artifactId>
    <version>1.4.3</version>
</dependency>
<!-- Explicit import of Batik -->
<dependency>
    <groupId>org.apache.xmlgraphics</groupId>
    <artifactId>batik-css</artifactId>
    <version>1.7</version>
</dependency>
<!-- And the correct version of Commons HTTPCLient -->
<dependency>
    <groupId>commons-httpclient</groupId>
    <artifactId>commons-httpclient</artifactId>
    <version>3.1</version>
</dependency>

Original comment by RedYetiD...@gmail.com on 17 Feb 2011 at 10:13