esapi-java-legacy
esapi-java-legacy copied to clipboard
ESAPI
when i call the api 'ESAPI.validator().getValidSafeHTML' with mixed encoding input, the mixed input willed be filtered.
1.when i call the api "ESAPI.validator().getValidSafeHTML" with input is
"<html>
<table>
<tbody>
<tr>
<td><p>\n This administrative email\n is being sent to you from Rockstar Games, 622 Broadway, NY, NY 10012. If
you\n want the early word on all Rockstar game announcements, official launches,\n contests, special events,
and more <a href=\"https://socialclub.rockstargames.com/settings/email?utm_source=Social%20Club&utm_medium=Email&utm_campaign=Administrative%20Emails&utm_content=en\">subscribe\n
to the Rockstar Games Mailing List</a>.<p>
</td>
</tr>
</tbody>
</table>
</html>"
the result is
"<table> <tbody> <tr> <td><p> This administrative email is being sent to you from Rockstar Games, 622 Broadway, NY, NY 10012. If you want the early word on all Rockstar game announcements, official launches, contests, special events, and more subscribe to the Rockstar Games Mailing List.</p><p> </p></td> </tr> </tbody> </table>"
and the 'a' tag is missing. 2. i have set the 'a' tag in whiteList in antisamy.xml and set Encoder.AllowMixedEncoding=true 3. i want to know how to make the result contains 'a' tag
So first and foremost: Your intended input isn't translating very well across email. Could you drop it in a github gist or include the sample as a text attachment? in my view here there is no "a" tag in the input to start with.
On 12/3/2021 1:28 AM, wangyun2018 wrote:
1.when i call the api "ESAPI.validator().getValidSafeHTML" with input is "
\n This administrative email\n is being sent to you from Rockstar Games, 622 Broadway, NY, NY 10012. If you\n want the early word on all Rockstar game announcements, official launches,\n contests, special events, and more subscribe\n to the Rockstar Games Mailing List.
"
the result is "
This administrative email is being sent to you from Rockstar Games, 622 Broadway, NY, NY 10012. If you want the early word on all Rockstar game announcements, official launches, contests, special events, and more subscribe to the Rockstar Games Mailing List.
"
and the 'a' tag is missing. 2. i have set the 'a' tag in whiteList in antisamy.xml and set Encoder.AllowMixedEncoding=true
3. i want to know how to make the result contains 'a' tag — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ESAPI/esapi-java-legacy/issues/645, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACIQAQK6S4RXYQCYJ3FSLOTUPB5S7ANCNFSM5JJDSYEQ. Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
the input file is below
input.txt and the result is below after calling ESAPI.validator().getValidSafeHTML
and the 'a' tag is missing
oh wow... for some reason when this came in I completely missed this was github and thought it was hitting the main mailing list. My apologies. I'll try and reproduce.
May want to try with the latest version of AntiSamy. There's been some updates in it that might fix the issue.
-kevin
On Tue, Dec 7, 2021, 10:04 PM Matt Seil @.***> wrote:
oh wow... for some reason when this came in I completely missed this was github and thought it was hitting the main mailing list. My apologies. I'll try and reproduce.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ESAPI/esapi-java-legacy/issues/645#issuecomment-988454135, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PG25WIPVEYQAZUSZD7LUP3DLLANCNFSM5JJDSYEQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
@wangyun2018 did this get resolved? Can you provide the AntiSamy XML you are using? It does seem like an AntiSamy issue, not an ESAPI one. What is the reason to enable the strongly discouraged mixed encoding?
@wangyun2018 I'm in a mode where I can debug this, but I need the relevant antisamy configs to minimize the time it takes to match your config. I would understand that you wouldn't want to publish the entire whitelist, but at minimum I need those href tag configs.
By default ESAPI is configured like this:
<tag name="a" action="validate">
<attribute name="href" onInvalid="filterTag"/>
<attribute name="nohref">
<literal-list>
<literal value="nohref"/>
<literal value=""/>
</literal-list>
</attribute>
<attribute name="rel">
<literal-list>
<literal value="nofollow"/>
</literal-list>
</attribute>
</tag>
@xeno6696 - Note: to test this in JUnit, you will have to create a custom AntiSamy XML policy file and drop it under 'src/test/resources' and load it with HTMLValidationRule.loadAntisamyPolicy("Name_of_your_policy_file") from your JUnit test. We already do that in 1 or 2 tests so you can follow them as an example.
Yeah I'm good: It's ready to go, I just need the proper inputs to see whether or not this is something I can help with.
I suspect it's AntiSamy as well but stranger things have happened.
@xeno6696 - My guess, if it's not AntiSamy, it's one of the parsers that they are using. If the latter, it will not be fixed.
@wangyun2018 - Can you attach the AntiSamy XML policy file fragment that Matt asked for so we can try to get this wrapped up? Thanks!