Closed GoogleCodeExporter closed 8 years ago
Thanks for the detailed write up, we'll look into this.
Original comment by arshan.d...@gmail.com
on 7 Nov 2009 at 8:13
Thanks for accepting the issue.
[Additional information]
The same happens for tags like <?tag> or <!tag> or <|tag>. This is a very
unpleased
behavior, since the tags starting with such special characters ( ?, !, |, etc)
are
skipped. I mean, the html text containing such tags, from antisamy point of
view , is
VALID.
Note: antisamy xml policy file is the same, does not contain rules for tags
starting
with mentioned characters, meaning that suck tags must be rejected when
scanning,
must generate ValidationException errors.
Thank you,
Dan Strajan.
Original comment by M4tr4gun4
on 23 Nov 2009 at 8:12
The "input" tag not being reported is fixed, since it's not on the list of tags
that
could, if allowed by policy, remain and remain empty.
However, the fake and invalid tags you report I'm not sure I have a great
answer for.
I recognize that it's currently not being reported correctly, but making a hack
to
detect those specifically invalid tags when there really is no security problem
seems
to me to be worse than the original problem.
The error messages are for guidance to users who need to fix their problems. If
an
attacker is throwing random/invalid tags at you, it doesn't really matter that
they
don't get perfect error messages.
The error messages are not intended to be a "security" log, by any means. It's a
best-effort attempt to capture why the input didn't work and what can be done
to make
it work.
Thanks for the report!
Original comment by arshan.d...@gmail.com
on 25 Nov 2009 at 10:25
Original issue reported on code.google.com by
M4tr4gun4
on 20 Oct 2009 at 10:07Attachments: