jeff377 / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
0 stars 0 forks source link

Unable to restrict " stYle=x:expre/**/ssion(alert(9)) ns=" #128

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Used all the policies available in 1.4.4 to prevent " 
stYle=x:expre/**/ssion(alert(9)) ns=" but they seem not to be working.

Policy policy = Policy.getInstance(policyFileLocation);
AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(request.getParameter("type"), policy, AntiSamy.SAX);

What is the expected output? What do you see instead?
Is there a way to filter this out?

What version of the product are you using? On what operating system?
AntiSamy-1.4.4

Please provide any additional information below.

Original issue reported on code.google.com by Joyd...@gmail.com on 6 Mar 2012 at 8:59

GoogleCodeExporter commented 8 years ago
Hi,

This works properly with the following code,

CssScanner scanner = new CssScanner(policy, messages);
CleanResults cr1 = scanner.scanInlineStyle(...)

Cheers!

Original comment by Joyd...@gmail.com on 6 Mar 2012 at 10:39

GoogleCodeExporter commented 8 years ago
What is the exact string value you pass to as.scan()? The string:

 " stYle=x:expre/**/ssion(alert(9)) ns=" 

Is not inherently dangerous unless it is stuck into an existing, quoted, HTML 
attribute. This is now how AntiSamy values are intended to be used. AntiSamy 
content should be placed between a start and close tag, e.g.:

<div>${antiSamyOutput}</div>

Original comment by arshan.d...@gmail.com on 29 Mar 2012 at 4:01

GoogleCodeExporter commented 8 years ago
Closed due to lack of response.

Original comment by arshan.d...@gmail.com on 24 Jun 2012 at 5:20