tomshearer / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
0 stars 0 forks source link

Anchor tag with script tag not getting santized correctly for cases of this kind- "<a/href=javascript:alert(1)>xyz" #191

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Add the following script "<a/href=javascript:alert(1)>xyz"
2. antisamy does not sanitize the text correctly
3.

What is the expected output? What do you see instead?
The above script does not get sanitized. It does not identify the anchor tag 
with script due to the char '/' between "a" and "href".

Browsers render this correctly and executes the script when 
clicked-<a/href=javascript:alert(1)>xyz

What version of the product are you using? On what operating system?

Please provide any additional information below.
In the antisamy-restricted.xml file, following is the policy definition for 
anchor tag-
<tag name="a" action="validate">
            <!-- onInvalid="filterTag" has been removed as per suggestion at OWASP 
                SJ 2007 - just "name" is valid -->
            <attribute name="href" />
            <attribute name="nohref">
            <literal-list>
                    <literal value="nohref"/>
                    <literal value=""/>
                </literal-list>
            </attribute>
            <attribute name="rel">
                <literal-list>
                    <literal value="nofollow" />
                </literal-list>
            </attribute>
            <attribute name="style" />
            <attribute name="target"> 
                <literal-list>
                    <literal value="_blank" />
                </literal-list>
            </attribute>
        </tag>

Original issue reported on code.google.com by sudeep...@gmail.com on 16 Jun 2015 at 4:59