Anton Malyshev
Reputation: 8861
Is AntiSamy policy actual
I use the following code to filter out javascript code in user-submitted html files on Android:
Policy antiSamyPolicy;
try {
antiSamyPolicy = Policy.getInstance(AntiSamy.class.getResourceAsStream("/antisamy.xml"));
} catch (PolicyException e) {
e.printStackTrace();
return;
}
AntiSamy antiSamy = new AntiSamy(antiSamyPolicy);
CleanResults result;
try {
result = antiSamy.scan(taintedHtml);
} catch (PolicyException | ScanException e) {
e.printStackTrace();
return;
}
It loads bundled policy "antisamy.xml" which is included in AntiSamy (https://github.com/nahsra/antisamy).
All seems to work ok. The only question is how actual is the policy? Is it enough to filter out all javascript code in contemporary html?
Upvotes: 3
Views: 788
Answers (0)
Related Questions
- How to include all the elements in PolicyBuilder in OWASP Java HTML Sanitizer
- OWASP java-html-sanitizer - policy for unclosed tags
- AntiSamy to prevent XSS in java?
- CSS validation with AntiSamy
- Embedded CSS with owasp-java-html-sanitizer
- Java: Owasp AntiSamy vs Owasp-java-html-sanitize
- Location of AntiSamy policy file in web project
- OWASP html sanitizer - Why does it unescape some entities?
- Java HTML parsers modify page
- Android webview html compliance?