What steps will reproduce the problem?
1. Use the attached profile or really any profile where body is supposed to be
removed
2. Use the latest version of AntiSamy
3. Insert a body tag into your input (and you can even insert JS into the tag)
What is the expected output? What do you see instead?
I expect the body tag to be removed, but it is NOT. It seems to be the only
tag where this is the case -- it'll remove HTML, B, BLOCK, etc, but not BODY
tags.
What version of the product are you using? On what operating system?
Tried in multiple versions, to include 1.5.1, etc. RedHat, tried Java 6 and
Java 7, tried Tomcat7 and Weblogic.
Please provide any additional information below.
I've tried using AntiSamy's default deny and simply having the few tags I
expected, but body tags still go through antisamy. At the moment I made a
regex in my backend code that yanks body tags because sometimes CKEditor would
throw them in, which really screwed up a page (it was a bug with CKEditor that
led us to finding this hole).
Original issue reported on code.google.com by fukustev...@gmail.com on 19 Dec 2013 at 2:03
Original issue reported on code.google.com by
fukustev...@gmail.com
on 19 Dec 2013 at 2:03Attachments: