5

I use Antisamy for validating HTML. My policy allow iframes, like youtube videos. Problem is - if tag is empty(like this):

<iframe src="//www.youtube.com/embed/uswzriFIf_k?feature=player_detailpage" allowfullscreen></iframe>

than after cleaning it will be like this:

<iframe src="//www.youtube.com/embed/uswzriFIf_k?feature=player_detailpage" allowfullscreen/>

But it should have normal closing tag.

And this break all content on page after. I already set my directives to use most of HTML but not XML:

<directives>
    <directive name="omitXmlDeclaration" value="true"/>
    <directive name="omitDoctypeDeclaration" value="true"/>
    <directive name="maxInputSize" value="200000"/>
    <directive name="nofollowAnchors" value="true" />
    <directive name="validateParamAsEmbed" value="true" />
    <directive name="useXHTML" value="false"/>

    <directive name="embedStyleSheets" value="false"/> 
    <directive name="connectionTimeout" value="5000"/>
    <directive name="maxStyleSheetImports" value="3"/>
    <directive name="formatOutput" value="false"/>
</directives>

But this not help.

UPD: switching between parsers and playing with directives still did not give any results.

UPD2: this is part of my configuration, responsible for handling iframe tag:

    <tag name="iframe" action="validate">
        <attribute name="src">
            <regexp-list>
                <regexp name="youtube"/>
                <regexp name="slideshare"/>
            </regexp-list>
        </attribute>
        <attribute name="allowfullscreen">
             <regexp-list>
                 <regexp name="anything"/>
             </regexp-list>
        </attribute>
        <attribute name="scrolling">
            <regexp-list>
                <regexp name="anything"/>
            </regexp-list>
        </attribute>
        <attribute name="marginwidth">
            <regexp-list>
                <regexp name="anything"/>
            </regexp-list>
        </attribute>
        <attribute name="marginheight">
            <regexp-list>
                <regexp name="anything"/>
            </regexp-list>
        </attribute>
        <attribute name="frameborder">
            <regexp-list>
                <regexp name="anything"/>
            </regexp-list>
        </attribute>
        <attribute name="style"/>
    </tag>

Any idea?

msangel
  • 9,895
  • 3
  • 50
  • 69
  • I know 4 years have passed.... but by any chance , can you recollect whether you managed to resolve this? Grasping at straws for last two days – Rohan210 Sep 07 '17 at 12:43

2 Answers2

0

Try this -

<tag name="iframe" action="validate"/>

And add a tag to this list -

<allowed-empty-tags>
   <literal-list>
      <literal value="iframe"/>
   </literal-list>
</allowed-empty-tags>

See http://code.google.com/p/owaspantisamy/...

  • This was done. I update my question. Thnks. Problem is - it validate and handle correctly. But if tag has empty body - it is replaced with selfenclosed tag. But some tags (iframe, form, ...) do not work in browser if is selfenclosed. – msangel Oct 13 '13 at 09:17
  • same. I already have this. This is responce for allowing selfclosed tag, but have no impact on tag transformation. – msangel Oct 13 '13 at 09:33
  • Even more - i already have own type of `AntiSamySAXScanner` and playing with keys: http://nekohtml.sourceforge.net/settings.html, but still no result yet. – msangel Oct 13 '13 at 09:33
  • I am having the same issue. How did you resolve it ? – Vikas Sharma Jul 11 '16 at 06:50
0

I ran into the same issue. In my case it was due to the AntiSamy policy having this directive:

<directive name="useXHTML" value="true" />

Which, per the OWASP documentation, will output the sanitized data in XHTML format as opposed to just regular HTML. Please see: https://www.owasp.org/index.php/AntiSamy_Directives

Changing that value to false will allow the sanitized output to be provided as valid HTML. Block level elements will not be shortened and become invalid markup.

JHuckins
  • 1
  • 1