antiSamy.scan(input, policy) giving the following as not a valid html.

[mahi277149]

input = Awning

then getting following error.
The a tag contained an attribute that we could not process. The href attribute had a value of "Lx.ui.launchBidAlternateValues(2942);". This value could not be accepted for security reasons. We have chosen to remove this attribute from the tag and leave everything else in place so that we could process the input.

Please let me know, how to resolve this issue.

[mahi277149]

these are my onsiteURL and offsiteURL.

[davewichers]

@spassarop - Can you research and respond?

[mahi277149]

name="onsiteURL"
value="^(?!//)(?![\p{L}\p{N}\.#@$%+&;-~,?=/!]*(&colon))[\p{L}\p{N}\.#@$%+&;-~,?=/!]*"

name="offsiteURL"
value="(\s)((ht|f)tp(s?)://|mailto:)[\p{L}\p{N}]+[\p{L}\p{N}\p{Zs}.#@$%+&;:-_~,?=/!()](\s)*"

[spassarop]

Hi That is because the value is nothing close to a URL. To accept that kind of value willingly, then you can create your custom regular expression alongside with offsiteURL and onsiteURL, and add it as part of the accepted expressions for the href attribute. If you wanted to use only the existing ones, you can add the parenthesis right at the end of onsiteURL, for example, before the last square bracket': *()]** You can test that and close the issue. El jue, 11 ene 2024 a las 18:30, mahi277149 ***@***.***>) escribió:

…

name="offsiteURL" value="(\s) *((ht|f)tp(s?)://|mailto:)[\p{L}\p{N}]+[\p{L}\p{N}\p{Zs}.#@$%+&;:-_~,?=/!()]* (\s)*" — Reply to this email directly, view it on GitHub <#416 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHL3BMK7NPGGM3G2TCOXXNLYOBKXTAVCNFSM6AAAAABBXD6HVCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBXHE4TMNBVGY> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[mahi277149]

name="onsiteURL"
value="^(?!//)(?![\p{L}\p{N}.#@$%+&;-,?=/!]*(&colon))[\p{L}\p{N}.#@$%+&;-,?=/!()]*"

i tried this with onsiteURL but it did not work, what am i missing here.

[mahi277149]

the href contains following js method
'Lx.ui.launchBidAlternateValues(2942);'

[mahi277149]

The a tag contained an attribute that we could not process. The href attribute had a value of "Lx.ui.launchBidAlternateValues(2942);". This value could not be accepted for security reasons. We have chosen to remove this attribute from the tag and leave everything else in place so that we could process the input.

i am seeing this error.

[spassarop]

I don't know what your problem is. I tested this:

AntiSamy as = new AntiSamy();
String input = "<a href=\"Lx.ui.launchBidAlternateValues(2942);\">Awning</a>";
System.out.println(as.scan(input, policy, AntiSamy.DOM).getCleanHTML());
System.out.println(String.join("\n", as.scan(input, policy, AntiSamy.DOM).getErrorMessages()));
System.out.println(as.scan(input, policy, AntiSamy.SAX).getCleanHTML());
System.out.println(String.join("\n", as.scan(input, policy, AntiSamy.SAX).getErrorMessages()));

Where policy is the default AntiSamy policy from antisamy.xml. Before changing the policy, the output removes the href attribute as you report, as it should. Then I only when to the policy file and changed:

<regexp name="onsiteURL"
            value="^(?!//)(?![\p{L}\p{N}\\\.\#@\$%\+&amp;;\-_~,\?=/!]*(&amp;colon))[\p{L}\p{N}\\\.\#@\$%\+&amp;;\-_~,\?=/!]*" />

To this, as I mentioned in my previous comment (only added brackets):

<regexp name="onsiteURL"
            value="^(?!//)(?![\p{L}\p{N}\\\.\#@\$%\+&amp;;\-_~,\?=/!]*(&amp;colon))[\p{L}\p{N}\\\.\#@\$%\+&amp;;\-_~,\?=/!()]*" />

After that, the output is as expected, without removal of href. From this I have two things to comment:
1- Modifying the policy actually works. Check again.
2- It does not sound correct that you want to admit a JS method (even though that does not work as a JS call without the javascript: schema) in a library that is created to prevent JS from executing. Think about it.

In conclusion I will close the issue and if there is a valid reason to reopen it, then do it.