tags:

views:

86

answers:

3
+2  Q: 

How to not transform special characters to html entities with owasp antisamy

Hello, I use Owasp Anti samy with Ebay policy file to prevent XSS attacks on my website.

I also use Hibernate search to index my objects.

When I use this code:

String html = "special word: été";    

// use the Ebay configuration file    
Policy policy = Policy.getInstance(xssPolicyFile.getInputStream());

AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(html, policy);

// result is now : "special word: été"
result = cr.getCleanHTML();

As you can see all chars "é" has been transformed to their html entity equivalent "é"

My page is on UTF-8, so I don't need this transformation. Moreover, when I index this text with Hibernate Search, it indexes the word with html entities, so I can't find word "été" on my index.

How can I force antisamy to not transform special chars to their html entity equivalent ?

thanks

A: 

After scouring the AntiSamy source code, I found no way of changing this behavior apart from modifying AntiSamy.

 2010-08-23 08:07:12
A: 

Check out this one: http://code.google.com/p/owaspantisamy/source/browse/#svn/trunk/dotNet/current/source/owaspantisamy/html/scan

Grab the source and notice that key classes (AntiSamyDOMScanner, CleanResults) use standard framework objects (like XmlDocument). Compile and run with the binary you compiled - so that you can see everything in a debugger - as in which of the major classes actually corrupts your data. With that in hand you'll be able to either change a few properties on major objects to make it stop or inject your own post-processing to revert the wrongdoing (say with a regexp). Latter you can expose that as additional top-level property, say one named NoMess :-)

Chances are that behavior in that respect is different between languages (there's 3 in that trunk) but the same tactics will work no matter which one you have to deal with.

ZXX  2010-08-26 09:38:24
I've thinking of that but that's very tricky because I use Maven and so, I never download entire project source to modify it.That's strange that Antisamy does not implement such a feature.I think I will do it but it's really ugly.
Jerome C.  2010-08-27 07:53:09
Well it's a good excuse to start decoupling :-) Might also be the matter of "assumed" output encoding.
ZXX  2010-08-27 09:10:12
+1  A: 

I ran into the same problem this morning.

I have encapsulated antisamy in a class and I use apache StringEscapeUtil from apache common-lang to restore special characters.

 CleanResults cleanResults = antiSamy.scan(taintedHtml);
 cleanedHtml = cleanResults.getCleanHTML();  
 return StringEscapeUtils.unescapeHtml(cleanedHtml)

The result is a cleaned up HTML without the HTML escaping of special characters.

Hope this helps.

Vincent Giguère  2010-10-29 14:45:49

related questions

Replacing   from javascript dom text node
HTML Entities with jQuery
htmlentities in PHP but preserving html tags
Why does this strange character encoding happen?
Code in a RSS feed
Converting & to & in Objective-C
How to unescape apostrophes and such in Python?
Some Basic Python Questions
Replace html entities with the corresponding utf-8 characters in Python 2.6
How to convert html entities into symbols?
Converting fractions to html entities
How to show Unicode characters in IE using HTML
Euro sign or other entity in Javascript alert/messagebox
Convert HTML Character Back to Text Using Java Standard Library
Convert characters to HTML Entities in Cocoa
HTML entities and charset in IE
Setting nodeValue of text node in Javascript when string contains html entities
When Should One Use HTML Entities
xslt, javascript and unescaped html entities
Javascript: How to dynamically create an <option> that contains an HTML entity (— ... «)
Getting the € with htmlentities
htmlentities equivalent in JSP?
How do I make JSP tag files NOT ignore all whitespace?
Using htmlentities in a string
Parsing XML With Single Quotes?