search

xiebiao / owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
0 stars 0 forks source link

getErrorMessages() not populated for unsafe inputs and can bypass most implementations. #142

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Tried printing, getCleanHTML(input)and getErrorMessages(input)
2. The inputs are,
i)
<a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>

ii)
<img src=x / onerror=alert(1)>

What is the expected output? What do you see instead?
getCleanHTML() gives clean output, which cannot be used for executing 
JavaScript. Thats good and safe.
But getErrorMessages(), is empty in both cases. So people replying on 
getErrorMessages() are in trouble.

What version of the product are you using? On what operating system?
Latest, Version 1.4.4

Please provide any additional information below.
This is a continuation of the old issue with one more different bypass.

Original issue reported on code.google.com by ahamedna...@gmail.com on 22 Oct 2012 at 11:09

GoogleCodeExporter commented 9 years ago 
The larger issue of relying on getErrorMessages().size() as an indication of 
input safety is a misuse of the API, and I'm not sure I can do anything about 
that. We give error messages to try to help the user massage their input, not 
tell the site owner how many possible attacks are in the payload.

We will continue to try to make error messages appear for all the missteps in 
the cleanup process. However, the error messages will never be a yardstick for 
the input's safety.

To me, this is like blaming the guy who made the shield when the knight was 
holding it sideways and left-handed. Can you tell I played D&D?

Original comment by arshan.d...@gmail.com on 22 Oct 2012 at 2:29

GoogleCodeExporter commented 9 years ago 
So I understand that developers should only trust getcleanHTML() and use 
getErrorMessages() for additional info if any. 

And I completely understand that now. So I think it would be better to educate 
the developers about how they implement and use AntiSamy. 

Am just curious whether you have talked about this substantially in any part of 
the documentation?

Original comment by ahamedna...@gmail.com on 23 Oct 2012 at 5:41