mauricionobrega / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
0 stars 0 forks source link

Tag.action = encode doesn't work correctly for attribute values of tag #187

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Input string is "<p><strong>Support</strong> </p><script 
type='text/javascript'>alert('Support Contact');></script>"
2. In policy file, define tag rule for script tag as <tag name="script" 
action="encode"/>
3. Run AntiSamy sanitizer against above specified input.

What is the expected output? What do you see instead?
Actual: <p><strong>Support</strong> </p>&lt;script 
type=&quot;text&amp;#47;javascript&quot;&gt;alert('Support 
Contact');&gt;&lt;/script&gt;

Expected: <p><strong>Support</strong> </p>&lt;script 
type=&quot;text/javascript&quot;&gt;alert('Support Contact');&gt;&lt;/script&gt;

What version of the product are you using? On what operating system?
Antisamy 1.4.4 OS: Windows XP

Please provide any additional information below.
This issue happens with all attribute values containing special characters and 
for tag which is defined with action as encode.

Original issue reported on code.google.com by prashant...@gmail.com on 4 Dec 2014 at 9:40