There is no schema validation for policy XML

[spassarop]

AntiSamy seems to lack of a schema validation when loading the XML of a policy.

This may lead to malformed policies that are valid (AntiSamy won't blow up) but do not comply with the XSD. Bugs can originate from bad policy definition, which could be prevented with XML schema validation.

Even if applying validation to current example policies (and some customized in tests), they fail to validate.

This is a screenshot to the validation on freeformatter for antisamy-tinymce.xml:

I would suggest applying strict schema validation with the already defined XSD. As an improvement, if requested or considered useful, multiple or "stacked" validation could be applied, seen as an intersection of schemas to restrict policies structure even more.

[davewichers]

Sounds good to me. Do you want to implement something in the new 1.6.0 branch?

[spassarop]

Today from the OWASP Uruguay chapter, we did an implementation with some tests on 1.6.0. Soon we’ll create a PR for review and reference this issue.

[spassarop]

@davewichers - PR was created referencing the issue. Maybe this could be tagged as "feature"?

[davewichers]

This was addressed in commit 3f446c5 to the master branch and AntiSamy v1.6.0 was released today with this included.