jeff377 / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
0 stars 0 forks source link

Cleaning to much? #74

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
Hi, we are using AntiSamy 1.3 (Java) with the antisamy 1.3 xml policy file. 
Cleaning the following text (from an input field for entering formulas):

if(f_calc_cost_te<l_target_price,"0-3%",
   if(f_feedback_perc_distance<2,"0-3%",
      if(f_feedback_perc_distance<5,"3-6%",
         if(f_feedback_perc_distance<10,"6-12%",
            if(f_feedback_perc_distance<16,"12-18%",
               if(f_feedback_perc_distance<22,"18-24%",
                  if(f_feedback_perc_distance<30,"24-30%",">30%")))))))

returns

if(f_calc_cost_te30%&quot;)))))))

Is this really the indended behaviour? 

Best regards,
Ulf

Original issue reported on code.google.com by ulf.ekst...@gmail.com on 17 Mar 2010 at 11:52

GoogleCodeExporter commented 8 years ago
Yes, this is really intended behavior. The greater-than signs used in the 
comparisons
appear to AntiSamy like they're unknown HTML tags, or even a fragmented HTML 
attack
meant to bypass attack signatures.

If this is the type of data you're expecting (not HTML) you're better off with a
strictly HTML-encoding function, like encodeForHTML() in the OWASP ESAPI 
project.

Original comment by arshan.d...@gmail.com on 23 Mar 2010 at 6:29