google-code-export / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
1 stars 1 forks source link

AntiSamy Allows Body Tags And I Can't Get It To Not #171

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Use the attached profile or really any profile where body is supposed to be 
removed
2. Use the latest version of AntiSamy
3. Insert a body tag into your input (and you can even insert JS into the tag)

What is the expected output? What do you see instead?
I expect the body tag to be removed, but it is NOT.  It seems to be the only 
tag where this is the case -- it'll remove HTML, B, BLOCK, etc, but not BODY 
tags.

What version of the product are you using? On what operating system?
Tried in multiple versions, to include 1.5.1, etc.  RedHat, tried Java 6 and 
Java 7, tried Tomcat7 and Weblogic.

Please provide any additional information below.
I've tried using AntiSamy's default deny and simply having the few tags I 
expected, but body tags still go through antisamy.  At the moment I made a 
regex in my backend code that yanks body tags because sometimes CKEditor would 
throw them in, which really screwed up a page (it was a bug with CKEditor that 
led us to finding this hole).

Original issue reported on code.google.com by fukustev...@gmail.com on 19 Dec 2013 at 2:03

Attachments: