DefalutValidator.isValidSafeHTML() doesn't work #204
Description
From phillipr...@gmail.com on December 28, 2010 12:49:20
What steps will reproduce the problem? 1. Scan vunerable HTML it will return true
2. Used the default antisamy-esapi.xml What is the expected output? What do you see instead? false What version of the product are you using? On what operating system? 2.0_rc10 Linux Does this issue affect only a specified browser or set of browsers? Please provide any additional information below. Reason why it doesn't work is isValidSafeHTML uses getValidSafeHTML and assumes an exception will be thrown in case where HTML is invalid. No execption will be thrown. DefaultValidator.getValidSafeHTML() uses HTMLValidation.getValid() to clean HTML. The HTMLValidation.getValid() does clean the HTML. To correct the issue the developers may want to right an HTMLValidation.isValid() method... have it call AntiSamy checking if errors are present on the CleanResult. If errors exist return false as the HTML isn't clean according to the antisamy-esapi.xml policy.
Also consider updating the DefaultSecurityConfiguration.getResourceStream() to load configuration files from the classpath. It seems inconsistent for the ESAPI.properties and validation.properties file to be loadable from classpath when antisamy-esapi.xml isn't. I find it natural to add these files to my src/main/resource on the maven project which depends on esapi artifact.
I'm going to update the code and create my own version which corrects this defect. Contact me if you'd like a copy of the changed code.
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=194