Dave Wichers
Dave Wichers
I think I'll wait until 1.6.5 is ready to ship and add it to main right before the release.
This was done as part of the 1.7.0 release.
I'm investigating this. Using a DOM parser, with these settings, I get only: "firstname,lastname" in the output of .getCleanHTML(). Using a SAX parser, I get: `"firstname,lastname<name></name>"`. I'm not sure if...
@spassarop - Is this even possible/reasonable? Or way too hard? I suspect 'too hard'.
@spassarop - You did a lot of analysis on this one. Are there any changes you are comfortable with making that would improve anything?
@izian I can replicate the behavior that `Hello\uD83D\uDC95` doesn't change when getting sanitzed by AntiSamy. However, when I try just: `\uD888` that doesn't get sanitized either. Can you show me...
To be clear this issue is not a vulnerability (@nahsra's 'nominal risk' comment) . It is intended functionality that doesn't work, but the fact that it doesn't isn't a security...
@nahsra - Given the comment: "given that this functionality hasn’t worked in a while (unless you pass through a single character) it would likely be worse for people who have...
@spassarop - Hey Sebastian - any. clue how to address this old issue? There are two tests cases for this issue already in the test class, but they are commented...
Thanks Sebastian for researching! Do you think we should change/fix AntiSamy in some way or are we already doing the best we can with the parsers we are using? -Dave...