Is AntiSamy policy actual

Asked Oct 20 '17 at 15:38

Active Oct 20 '17 at 15:48

Viewed 724 times

I use the following code to filter out javascript code in user-submitted html files on Android:

    Policy antiSamyPolicy;
    try {
        antiSamyPolicy = Policy.getInstance(AntiSamy.class.getResourceAsStream("/antisamy.xml"));
    } catch (PolicyException e) {
        e.printStackTrace();
        return;
    }
    AntiSamy antiSamy = new AntiSamy(antiSamyPolicy);
    CleanResults result;
    try {
        result = antiSamy.scan(taintedHtml);
    } catch (PolicyException | ScanException e) {
        e.printStackTrace();
        return;
    }

It loads bundled policy "antisamy.xml" which is included in AntiSamy (https://github.com/nahsra/antisamy).

All seems to work ok. The only question is how actual is the policy? Is it enough to filter out all javascript code in contemporary html?

edited Oct 20 '17 at 15:48

asked Oct 20 '17 at 15:38

Anton Malyshev

8,686
2
27
45

1

The file is from 25 days ago, so if you trust the author it's pretty actual – Oct 20 '17 at 15:55
The original author of the code was OWASP (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) which could be trustworthy, but now the actuality of the project is questionable to me... – Anton Malyshev Oct 20 '17 at 15:58
AFAIK, antisamy works pretty well and because of its behavior (everything is blocked unless the config allows it), you are pretty safe. – Oct 20 '17 at 16:01

Is AntiSamy policy actual

0 Answers0