-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AntiSamy is not work on <svg/onload = alert('Hello')/> #47
Comments
I just added the following test case to AntiSamyTest.java and it passes no problem. It includes a test that matches your issue title (ending with />) as well as a test without the / at the end, and then the <style/onload version of the test you described in the 'test case for reference' you provided, which actually looks more like issue #44.
As such, I can't replicate the issue. Can you provide a pull request to AntiSamyTest.java with a failing test case that demonstrates your issue? |
Hey Thanks, |
@davewichers Do You have any update for it. |
The The JavaDoc and |
The README.md has been updated to be more clear on this, as has the JavaDoc, and these changes have been checked into 'master' in commit 75f9bb4. The JavaDoc changes will also be pushed out in the 1.5.11 release, which we are working on now but in the meantime, the README displayed on github for this project has the latest guidance on how getErrorMessages() works. |
I am working on 1 of XSS issue where our tester finds an issue like <svg/onload = alert('Hello') > and antisamy is not cleaning this particular tag.
even I debug antisamy library that it will consider or <style> as a tag and continue with current code so it is not throwing any particular exception.
i have already written small test case for your reference
@Test public void testStyleOnloadWithAlertScripts() throws PolicyException, ScanException { assertEquals( "", scanner.scan("<style/onload = alert(document.domain)>")); }
can anyone look into it to resolving this issue either from XML Configuration or from new patch release
The text was updated successfully, but these errors were encountered: