-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AntiSamy is not working for special case #44
Comments
What do you mean by it fails? It doesn't notice this at all? It strips it silently? It crashes? What exactly do you want AntiSamy to do in this situation, as compared to what it does now? |
Can you check the test case which I have given. |
I just added a GitHub Action that will automatically run `mvn test` after a
push. Can you open a branch with this failing test case?
…On Wed, Jun 10, 2020 at 9:19 PM satishraikwar ***@***.***> wrote:
What do you mean by it fails? It doesn't notice this at all? It strips it
silently? It crashes?
What exactly do you want AntiSamy to do in this situation, as compared to
what it does now?
Can you check the test case which I have given.
<style/onload=alert(document.domain)> is not getting clean html. After
Scan.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#44 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAG6R6U6HG6R2LOUWTSFGMLRWAWL3ANCNFSM4N2FEAJA>
.
|
Sure 👍 |
Hi ,
i have written the test case which is cleaning the html but why it is
giving the blank error message list ?
Can you check the testcase.
@test
public void getErrorMessagesIssue() throws ScanException, PolicyException {
Policy ebayPolicy =
Policy.getInstance(getClass().getResource("/antisamy-ebay.xml"));
String dirty = "<style/onload=alert(document.domain)>";
CleanResults cr = as.scan(dirty, ebayPolicy, AntiSamy.SAX);
System.out.println("========================="+cr.getCleanHTML());
System.out.println("=============getErrorMessages============"+cr.getErrorMessages());
}
Thanks
Satish
On Wed, Jun 10, 2020 at 9:25 PM Arshan Dabirsiaghi <notifications@github.com>
wrote:
… I just added a GitHub Action that will automatically run `mvn test` after a
push. Can you open a branch with this failing test case?
On Wed, Jun 10, 2020 at 9:19 PM satishraikwar ***@***.***>
wrote:
> What do you mean by it fails? It doesn't notice this at all? It strips it
> silently? It crashes?
>
> What exactly do you want AntiSamy to do in this situation, as compared to
> what it does now?
>
> Can you check the test case which I have given.
> <style/onload=alert(document.domain)> is not getting clean html. After
> Scan.
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <#44 (comment)>,
or
> unsubscribe
> <
https://github.com/notifications/unsubscribe-auth/AAG6R6U6HG6R2LOUWTSFGMLRWAWL3ANCNFSM4N2FEAJA
>
> .
>
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#44 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ALXL5MRUKCV4YLI5ZXHO6DLRWAXARANCNFSM4N2FEAJA>
.
|
OK. I created a new branch at: https://github.com/nahsra/antisamy/tree/issue44 which incorporates what it looks like @satishraikwar was trying to do. @nahsra - the results are a bit weird to me as well. I created 2 HTML strings (test44a & b) that incorporate the style of concern In both cases, the resulting 'clean' HTML strips out this style (which is good I think). But in the first case an error message is created: But in the second case, with simply a SPACE character after the style snippet, no error message is thrown. I also manually tried a much simpler HTML snippet and got similar results, except the error message was thrown in the snippet w/out the space instead of the one with the space. @satishraikwar - given this test code, what are you expecting AntiSamy to do? I think in both cases it returns the correct HTML, but in only 1 case does it return an error message, which I do agree is probably not correct. And I think the error message is related to what's left in the document, not the |
The I am marking this as a dupe of issue #47. |
Antisamy is not working for the test case , i tried in latest version also.
When there is "/" character inside tag it fails.
My Test Case:
@test
public void testXSSScript() throws PolicyException, ScanException {
String result = scanner.scan("<style/onload=alert(document.domain)>");
assertEquals("", result);
}
====Logic which called by test case===
Please consider policy is loading and i attached antisamy.xml , For some reason it is not giving any error for <style/onload=alert(document.domain)> when "Collection errors = r.getErrorMessages();" executes
public String scan(String untrustedUserInput) throws PolicyException, ScanException {
CleanResults r = webSecurityScanner.scan(untrustedUserInput, AntiSamy.SAX);
if(logger.isDebugEnabled()) {
logger.debug("Scanned request parameter in " + r.getScanTime() + "ms");
logger.debug("Value: " + untrustedUserInput);
logger.debug("Result: " + r.getCleanHTML());
logger.debug("Errors: " + r.getErrorMessages());
}
antisamy.zip
The text was updated successfully, but these errors were encountered: