OWASP - User contributions [en]

Project Information:template AntiSamy Project - Final Review - Self Evaluation - B

2008-08-14T19:37:10Z

Jerryhoff:

[[Project Information:template AntiSamy Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET| OWASP AntiSamy .NET Project's Deliveries & Objectives]]
| style="width:25%; background:white" align="center"|'''PART II'''
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The project objectives and deliveries have been accomplished. All the goals of the project have been realized. Code can be downloaded from [http://code.google.com/p/owaspantisamy/source/browse/#svn/trunk/dotNet/current/source/%20owaspantisamy Google Code]
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The stated goals have been 100% completed.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
A live test site will be put up at antisamy.net. We would appreciate testing and fuzzing by the community to find any holes in the validation.
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All terms of Alpha Quality status have been fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All terms of Beta Quality status have been fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
Some of the documentation in the code needs to be fleshed out.
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
Any advice on how to make the code more efficient would be greatly appreciated.
|}

Project Information:template AntiSamy Project - Final Review - Self Evaluation - B

2008-08-14T19:36:52Z

Jerryhoff:

[[Project Information:template AntiSamy Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET| OWASP AntiSamy .NET Project's Deliveries & Objectives]]
| style="width:25%; background:white" align="center"|'''PART II'''
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The project objectives and deliveries have been accomplished. All the goals of the project have been realized. Code can be downloaded from [http://code.google.com/p/owaspantisamy/source/browse/#svn/trunk/dotNet/current/source/%20owaspantisamy]
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The stated goals have been 100% completed.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
A live test site will be put up at antisamy.net. We would appreciate testing and fuzzing by the community to find any holes in the validation.
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All terms of Alpha Quality status have been fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All terms of Beta Quality status have been fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
Some of the documentation in the code needs to be fleshed out.
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
Any advice on how to make the code more efficient would be greatly appreciated.
|}

Project Information:template AntiSamy Project - Final Review - Self Evaluation - B

2008-08-14T19:32:07Z

Jerryhoff:

[[Project Information:template AntiSamy Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET| OWASP AntiSamy .NET Project's Deliveries & Objectives]]
| style="width:25%; background:white" align="center"|'''PART II'''
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The project objectives and deliveries have been accomplished. All the goals of the project have been realized.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The stated goals have been 100% completed.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
A live test site will be put up at antisamy.net. We would appreciate testing and fuzzing by the community to find any holes in the validation.
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All terms of Alpha Quality status have been fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All terms of Beta Quality status have been fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
Some of the documentation in the code needs to be fleshed out.
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
Any advice on how to make the code more efficient would be greatly appreciated.
|}

Project Information:template AntiSamy Project - Final Review - Self Evaluation - B

2008-08-14T19:31:20Z

Jerryhoff:

[[Project Information:template AntiSamy Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET| OWASP AntiSamy .NET Project's Deliveries & Objectives]]
| style="width:25%; background:white" align="center"|'''PART II'''
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The project objectives and deliveries have been accomplished. All the goals of the project have been realized.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The stated goals have been 100% completed.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
A live test site will be put up at antisamy.net. We would appreciate testing and fuzzing by the community to find any holes in the validation.
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All terms of Alpha Quality status have been fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All terms of Beta Quality status have been fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
Some of the documentation in the code needs to be fleshed out.
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template AntiSamy Project - Final Review - Self Evaluation - B

2008-08-14T19:29:11Z

Jerryhoff:

[[Project Information:template AntiSamy Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
The project objectives and deliveries have been accomplished. All the goals of the project have been realized.
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET| OWASP AntiSamy .NET Project's Deliveries & Objectives]]
The stated goals have been 100% completed.
A live test site will be put up at antisamy.net. We would appreciate testing and fuzzing by the community to find any holes in the validation.
| style="width:25%; background:white" align="center"|'''PART II'''
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|- The project objectives and deliveries have been accomplished. All the goals of the project have been realized.
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|- The stated goals have been 100% completed.
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|- A live test site will be put up at antisamy.net. We would appreciate testing and fuzzing by the community to find any holes in the validation.
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All terms of Alpha Quality status have been fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All terms of Beta Quality status have been fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
Some of the documentation in the code needs to be fleshed out.
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template AntiSamy Project - Final Review - Self Evaluation - B

2008-08-14T19:27:14Z

Jerryhoff:

[[Project Information:template AntiSamy Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET| OWASP AntiSamy .NET Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|- The project objectives and deliveries have been accomplished. All the goals of the project have been realized.
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|- The stated goals have been 100% completed.
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|- A live test site will be put up at antisamy.net. We would appreciate testing and fuzzing by the community to find any holes in the validation.
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All terms of Alpha Quality status have been fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All terms of Beta Quality status have been fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
Some of the documentation in the code needs to be fleshed out.
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template AntiSamy Project - Final Review - Self Evaluation - B

2008-08-14T19:26:24Z

Jerryhoff:

[[Project Information:template AntiSamy Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET| OWASP AntiSamy .NET Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The project objectives and deliveries have been accomplished. All the goals of the project have been realized.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|- The stated goals have been 100% completed.
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|- A live test site will be put up at antisamy.net. We would appreciate testing and fuzzing by the community to find any holes in the validation.
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|- All terms of Alpha Quality status have been fulfilled.
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|- All terms of Beta Quality status have been fulfilled.
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|- Some of the documentation in the code needs to be fleshed out.
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Project Information:template AntiSamy Project - Final Review - Self Evaluation - B

2008-08-14T19:24:19Z

Jerryhoff:

[[Project Information:template AntiSamy Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET| OWASP AntiSamy .NET Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|- The project objectives and deliveries have been accomplished. All the goals of the project have been realized.
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|- The stated goals have been 100% completed.
| style="width:25%; background:#7B8ABD" align="center"|
3. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|- A live test site will be put up at antisamy.net. We would appreciate testing and fuzzing by the community to find any holes in the validation.
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|- All terms of Alpha Quality status have been fulfilled.
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|- All terms of Beta Quality status have been fulfilled.
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|- Some of the documentation in the code needs to be fleshed out.
| style="width:25%; background:#7B8ABD" align="center"|
4. What kind of help is required either from the Reviewers or from the OWASP Community?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
|}

Category:OWASP AntiSamy Project .NET

2008-08-01T21:54:06Z

Jerryhoff: /* Emailing the project lead */

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template AntiSamy Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template AntiSamy Project}}
[[Category:OWASP Project]]

[[Category:OWASP_AntiSamy_Project]]

== What is AntiSamy .NET? ==

The OWASP AntiSamy .NET project is a few things. Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc. that gets persisted on the server. The term malicious code in terms of web applications is usually regarded only as JavaScript. Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner.

Philosophically, AntiSamy .NET is a departure from all contemporary security mechanisms. Generally, the security mechanism and user have a communication that is virtually one way, for good reason. Letting the potential attacker know details about the validation is considered unwise as it allows the attacker to "learn" and "recon" the mechanism for weaknesses. These types of information leaks can also hurt in ways you don't expect. A login mechanism that tells the user, "Username invalid" leaks the fact that a user by that name does not exist. A user could use a dictionary or phone book or both to remotely come up with a list of valid usernames. Using this information, an attacker could launch a brute force attack or massive account lock denial-of-service. So, we get that.

Unfortunately, that's just not very usable in this situation. Typical Internet users are largely ineffective when it comes to writing HTML/CSS, so where do they get their HTML from? Usually they copy it from somewhere out on the web. Simply rejecting their input without any clue as to why is jolting and annoying. Annoyed users go somewhere else to do their social networking.

Socioeconomically, AntiSamy .NET is a have-not enabler. Private companies like Google, MySpace, eBay, etc. have come up with proprietary solutions for solving this problem. This introduces two problems. One is that proprietary solutions are not usually all that good, and even if they are, well - naturally they're reluctant to share this hard-earned IP for free. Fortunately, we just don't care. We don't see any reason why only these private companies should have this functionality, so we are releasing this for free.

The [http://www.owasp.org/index.php/OWASP_Licenses OWASP licensing policy] (further explained in the [http://www.owasp.org/index.php/Membership membership FAQ]) allows OWASP projects to be released under any [http://www.opensource.org/licenses/alphabetical approved open source license]. Under these guidelines, AntiSamy .NET is distributed under a [http://www.opensource.org/licenses/bsd-license.php BSD license].

== Getting Started ==

There's 4 steps in the process of integrating AntiSamy. Each step is detailed in the next section, but the high level overview follows:

# Download AntiSamy from its home on Google Code
# Choose one of the standard policy files that matches as close to the functionality you need:
#* antisamy-slashdot.xml
#* (more to come in the near future)
# Tailor the policy file according to your site's rules
# Call the API from the code

=== Downloading ===

Currently, you can download the code using SVN from [http://code.google.com/p/owaspantisamy/source/browse/#svn/trunk/dotNet AntiSamy .NET Google Code SVN]

In the future the source code and the compiled .dll can be found at [http://code.google.com/p/owaspantisamy/downloads/list Google Code]

=== Installing ===

There is no installation needed to get AntiSamy .NET to run. Simply reference the .dll in your code, make sure the dependencies are present, and you are good to go.

Currently, there is only one dependency, HtmlAgilityPack.dll. To run the unit tests, you will also need:
#nunit.core.dll
#nunit.core.interfaces.dll
#nunit.framework.dll

=== Tailoring the policy file ===

Smaller organizations may want to deploy AntiSamy in a default configuration, but it's equally likely that a site may want to have strict, business-driven rules for what users can allow. The discussion that decides the tailoring should also consider attack surface - which grows in relative proportion to the policy file.

=== Running ===

Using AntiSamy is abnormally easy. Here is an example of invoking AntiSamy with a policy file:

AntiSamy _as = new AntiSamy();
string filename = Server.MapPath("./properties/antisamy-slashdot.xml");
Policy policy = Policy.getInstance(filename);
CleanResults results = _as.scan(txtInput.Text, policy);

And here is an example of using both the clean HTML and the error messages:

lblOutput.Text = results.getCleanHTML();
string s = "";
for (int i = 0; i < results.getErrorMessages().Count; i++)
{
s += results.getErrorMessages()[i].ToString() + "";
}
lblErrors.Text = s;

== Limitations ==

No CSS support has been included yet in AntiSamy .NET. It will be added hopefully within the next few months. With the default stylesheet, style tags are not allowed and are stripped out, as is the style attribute.

== Contacting us ==
There are two ways of getting information on AntiSamy. The mailing list, and contacting the project lead directly.

=== OWASP AntiSamy mailing list ===
The first is the mailing list which is located at https://lists.owasp.org/mailman/listinfo/owasp-antisamy. The list was previously private and the archives have been cleared with the release of version 1.0. We encourage all prospective and current users and bored attackers to join in the conversation. We're happy to brainstorm attack scenarios, discuss regular expressions and help with integration.

=== Emailing the project lead ===

For content which is not appropriate for the public mailing list, you can alternatively contact Jerry Hoff, at [jerry.hoff] at the [aspectsecurity.com] (s/ at the /@/).

=== Issue tracking ===

Visit the [http://code.google.com/p/owaspantisamy/issues/list Google Code issue tracker]

Visit the Google Code issue tracker

Category:OWASP AntiSamy Project .NET

2008-07-31T14:54:37Z

Jerryhoff: /* Getting Started */

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template AntiSamy Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template AntiSamy Project}}
[[Category:OWASP Project]]

[[Category:OWASP_AntiSamy_Project]]

== What is AntiSamy .NET? ==

The OWASP AntiSamy .NET project is a few things. Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc. that gets persisted on the server. The term malicious code in terms of web applications is usually regarded only as JavaScript. Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner.

Philosophically, AntiSamy .NET is a departure from all contemporary security mechanisms. Generally, the security mechanism and user have a communication that is virtually one way, for good reason. Letting the potential attacker know details about the validation is considered unwise as it allows the attacker to "learn" and "recon" the mechanism for weaknesses. These types of information leaks can also hurt in ways you don't expect. A login mechanism that tells the user, "Username invalid" leaks the fact that a user by that name does not exist. A user could use a dictionary or phone book or both to remotely come up with a list of valid usernames. Using this information, an attacker could launch a brute force attack or massive account lock denial-of-service. So, we get that.

Unfortunately, that's just not very usable in this situation. Typical Internet users are largely ineffective when it comes to writing HTML/CSS, so where do they get their HTML from? Usually they copy it from somewhere out on the web. Simply rejecting their input without any clue as to why is jolting and annoying. Annoyed users go somewhere else to do their social networking.

Socioeconomically, AntiSamy .NET is a have-not enabler. Private companies like Google, MySpace, eBay, etc. have come up with proprietary solutions for solving this problem. This introduces two problems. One is that proprietary solutions are not usually all that good, and even if they are, well - naturally they're reluctant to share this hard-earned IP for free. Fortunately, we just don't care. We don't see any reason why only these private companies should have this functionality, so we are releasing this for free.

The [http://www.owasp.org/index.php/OWASP_Licenses OWASP licensing policy] (further explained in the [http://www.owasp.org/index.php/Membership membership FAQ]) allows OWASP projects to be released under any [http://www.opensource.org/licenses/alphabetical approved open source license]. Under these guidelines, AntiSamy .NET is distributed under a [http://www.opensource.org/licenses/bsd-license.php BSD license].

== Getting Started ==

There's 4 steps in the process of integrating AntiSamy. Each step is detailed in the next section, but the high level overview follows:

# Download AntiSamy from its home on Google Code
# Choose one of the standard policy files that matches as close to the functionality you need:
#* antisamy-slashdot.xml
#* (more to come in the near future)
# Tailor the policy file according to your site's rules
# Call the API from the code

=== Downloading ===

Currently, you can download the code using SVN from [http://code.google.com/p/owaspantisamy/source/browse/#svn/trunk/dotNet AntiSamy .NET Google Code SVN]

In the future the source code and the compiled .dll can be found at [http://code.google.com/p/owaspantisamy/downloads/list Google Code]

=== Installing ===

There is no installation needed to get AntiSamy .NET to run. Simply reference the .dll in your code, make sure the dependencies are present, and you are good to go.

Currently, there is only one dependency, HtmlAgilityPack.dll. To run the unit tests, you will also need:
#nunit.core.dll
#nunit.core.interfaces.dll
#nunit.framework.dll

=== Tailoring the policy file ===

Smaller organizations may want to deploy AntiSamy in a default configuration, but it's equally likely that a site may want to have strict, business-driven rules for what users can allow. The discussion that decides the tailoring should also consider attack surface - which grows in relative proportion to the policy file.

=== Running ===

Using AntiSamy is abnormally easy. Here is an example of invoking AntiSamy with a policy file:

AntiSamy _as = new AntiSamy();
string filename = Server.MapPath("./properties/antisamy-slashdot.xml");
Policy policy = Policy.getInstance(filename);
CleanResults results = _as.scan(txtInput.Text, policy);

And here is an example of using both the clean HTML and the error messages:

lblOutput.Text = results.getCleanHTML();
string s = "";
for (int i = 0; i < results.getErrorMessages().Count; i++)
{
s += results.getErrorMessages()[i].ToString() + "";
}
lblErrors.Text = s;

== Limitations ==

No CSS support has been included yet in AntiSamy .NET. It will be added hopefully within the next few months. With the default stylesheet, style tags are not allowed and are stripped out, as is the style attribute.

== Contacting us ==
There are two ways of getting information on AntiSamy. The mailing list, and contacting the project lead directly.

=== OWASP AntiSamy mailing list ===
The first is the mailing list which is located at https://lists.owasp.org/mailman/listinfo/owasp-antisamy. The list was previously private and the archives have been cleared with the release of version 1.0. We encourage all prospective and current users and bored attackers to join in the conversation. We're happy to brainstorm attack scenarios, discuss regular expressions and help with integration.

=== Emailing the project lead ===

For content which is not appropriate for the public mailing list, you can alternatively contact the project lead, Arshan Dabirsiaghi, at [arshan.dabirsiaghi] at the [aspectsecurity.com] (s/ at the /@/).

=== Issue tracking ===

Visit the [http://code.google.com/p/owaspantisamy/issues/list Google Code issue tracker]

Visit the Google Code issue tracker

Category:OWASP AntiSamy Project .NET

2008-07-31T14:54:04Z

Jerryhoff: /* Contacting us */

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template AntiSamy Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template AntiSamy Project}}
[[Category:OWASP Project]]

[[Category:OWASP_AntiSamy_Project]]

== What is AntiSamy .NET? ==

The OWASP AntiSamy .NET project is a few things. Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc. that gets persisted on the server. The term malicious code in terms of web applications is usually regarded only as JavaScript. Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner.

Philosophically, AntiSamy .NET is a departure from all contemporary security mechanisms. Generally, the security mechanism and user have a communication that is virtually one way, for good reason. Letting the potential attacker know details about the validation is considered unwise as it allows the attacker to "learn" and "recon" the mechanism for weaknesses. These types of information leaks can also hurt in ways you don't expect. A login mechanism that tells the user, "Username invalid" leaks the fact that a user by that name does not exist. A user could use a dictionary or phone book or both to remotely come up with a list of valid usernames. Using this information, an attacker could launch a brute force attack or massive account lock denial-of-service. So, we get that.

Unfortunately, that's just not very usable in this situation. Typical Internet users are largely ineffective when it comes to writing HTML/CSS, so where do they get their HTML from? Usually they copy it from somewhere out on the web. Simply rejecting their input without any clue as to why is jolting and annoying. Annoyed users go somewhere else to do their social networking.

Socioeconomically, AntiSamy .NET is a have-not enabler. Private companies like Google, MySpace, eBay, etc. have come up with proprietary solutions for solving this problem. This introduces two problems. One is that proprietary solutions are not usually all that good, and even if they are, well - naturally they're reluctant to share this hard-earned IP for free. Fortunately, we just don't care. We don't see any reason why only these private companies should have this functionality, so we are releasing this for free.

The [http://www.owasp.org/index.php/OWASP_Licenses OWASP licensing policy] (further explained in the [http://www.owasp.org/index.php/Membership membership FAQ]) allows OWASP projects to be released under any [http://www.opensource.org/licenses/alphabetical approved open source license]. Under these guidelines, AntiSamy .NET is distributed under a [http://www.opensource.org/licenses/bsd-license.php BSD license].

== Getting Started ==

There's 4 steps in the process of integrating AntiSamy. Each step is detailed in the next section, but the high level overview follows:

#. Download AntiSamy from its home on Google Code
#. Choose one of the standard policy files that matches as close to the functionality you need:
*. antisamy-slashdot.xml
*. (more to come in the near future)
#. Tailor the policy file according to your site's rules
#. Call the API from the code

=== Downloading ===

Currently, you can download the code using SVN from [http://code.google.com/p/owaspantisamy/source/browse/#svn/trunk/dotNet AntiSamy .NET Google Code SVN]

In the future the source code and the compiled .dll can be found at [http://code.google.com/p/owaspantisamy/downloads/list Google Code]

=== Installing ===

There is no installation needed to get AntiSamy .NET to run. Simply reference the .dll in your code, make sure the dependencies are present, and you are good to go.

Currently, there is only one dependency, HtmlAgilityPack.dll. To run the unit tests, you will also need:
#nunit.core.dll
#nunit.core.interfaces.dll
#nunit.framework.dll

=== Tailoring the policy file ===

Smaller organizations may want to deploy AntiSamy in a default configuration, but it's equally likely that a site may want to have strict, business-driven rules for what users can allow. The discussion that decides the tailoring should also consider attack surface - which grows in relative proportion to the policy file.

=== Running ===

Using AntiSamy is abnormally easy. Here is an example of invoking AntiSamy with a policy file:

AntiSamy _as = new AntiSamy();
string filename = Server.MapPath("./properties/antisamy-slashdot.xml");
Policy policy = Policy.getInstance(filename);
CleanResults results = _as.scan(txtInput.Text, policy);

And here is an example of using both the clean HTML and the error messages:

lblOutput.Text = results.getCleanHTML();
string s = "";
for (int i = 0; i < results.getErrorMessages().Count; i++)
{
s += results.getErrorMessages()[i].ToString() + "";
}
lblErrors.Text = s;

== Limitations ==

No CSS support has been included yet in AntiSamy .NET. It will be added hopefully within the next few months. With the default stylesheet, style tags are not allowed and are stripped out, as is the style attribute.

== Contacting us ==
There are two ways of getting information on AntiSamy. The mailing list, and contacting the project lead directly.

=== OWASP AntiSamy mailing list ===
The first is the mailing list which is located at https://lists.owasp.org/mailman/listinfo/owasp-antisamy. The list was previously private and the archives have been cleared with the release of version 1.0. We encourage all prospective and current users and bored attackers to join in the conversation. We're happy to brainstorm attack scenarios, discuss regular expressions and help with integration.

=== Emailing the project lead ===

For content which is not appropriate for the public mailing list, you can alternatively contact the project lead, Arshan Dabirsiaghi, at [arshan.dabirsiaghi] at the [aspectsecurity.com] (s/ at the /@/).

=== Issue tracking ===

Visit the [http://code.google.com/p/owaspantisamy/issues/list Google Code issue tracker]

Visit the Google Code issue tracker

Category:OWASP AntiSamy Project .NET

2008-07-30T06:20:04Z

Jerryhoff:

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template AntiSamy Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template AntiSamy Project}}
[[Category:OWASP Project]]

[[Category:OWASP_AntiSamy_Project]]

== What is AntiSamy .NET? ==

The OWASP AntiSamy .NET project is a few things. Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc. that gets persisted on the server. The term malicious code in terms of web applications is usually regarded only as JavaScript. Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner.

Philosophically, AntiSamy .NET is a departure from all contemporary security mechanisms. Generally, the security mechanism and user have a communication that is virtually one way, for good reason. Letting the potential attacker know details about the validation is considered unwise as it allows the attacker to "learn" and "recon" the mechanism for weaknesses. These types of information leaks can also hurt in ways you don't expect. A login mechanism that tells the user, "Username invalid" leaks the fact that a user by that name does not exist. A user could use a dictionary or phone book or both to remotely come up with a list of valid usernames. Using this information, an attacker could launch a brute force attack or massive account lock denial-of-service. So, we get that.

Unfortunately, that's just not very usable in this situation. Typical Internet users are largely ineffective when it comes to writing HTML/CSS, so where do they get their HTML from? Usually they copy it from somewhere out on the web. Simply rejecting their input without any clue as to why is jolting and annoying. Annoyed users go somewhere else to do their social networking.

Socioeconomically, AntiSamy .NET is a have-not enabler. Private companies like Google, MySpace, eBay, etc. have come up with proprietary solutions for solving this problem. This introduces two problems. One is that proprietary solutions are not usually all that good, and even if they are, well - naturally they're reluctant to share this hard-earned IP for free. Fortunately, we just don't care. We don't see any reason why only these private companies should have this functionality, so we are releasing this for free.

The [http://www.owasp.org/index.php/OWASP_Licenses OWASP licensing policy] (further explained in the [http://www.owasp.org/index.php/Membership membership FAQ]) allows OWASP projects to be released under any [http://www.opensource.org/licenses/alphabetical approved open source license]. Under these guidelines, AntiSamy .NET is distributed under a [http://www.opensource.org/licenses/bsd-license.php BSD license].

== Getting Started ==

There's 4 steps in the process of integrating AntiSamy. Each step is detailed in the next section, but the high level overview follows:

#. Download AntiSamy from its home on Google Code
#. Choose one of the standard policy files that matches as close to the functionality you need:
*. antisamy-slashdot.xml
*. (more to come in the near future)
#. Tailor the policy file according to your site's rules
#. Call the API from the code

=== Downloading ===

Currently, you can download the code using SVN from [http://code.google.com/p/owaspantisamy/source/browse/#svn/trunk/dotNet AntiSamy .NET Google Code SVN]

In the future the source code and the compiled .dll can be found at [http://code.google.com/p/owaspantisamy/downloads/list Google Code]

=== Installing ===

There is no installation needed to get AntiSamy .NET to run. Simply reference the .dll in your code, make sure the dependencies are present, and you are good to go.

Currently, there is only one dependency, HtmlAgilityPack.dll. To run the unit tests, you will also need:
#nunit.core.dll
#nunit.core.interfaces.dll
#nunit.framework.dll

=== Tailoring the policy file ===

Smaller organizations may want to deploy AntiSamy in a default configuration, but it's equally likely that a site may want to have strict, business-driven rules for what users can allow. The discussion that decides the tailoring should also consider attack surface - which grows in relative proportion to the policy file.

=== Running ===

Using AntiSamy is abnormally easy. Here is an example of invoking AntiSamy with a policy file:

AntiSamy _as = new AntiSamy();
string filename = Server.MapPath("./properties/antisamy-slashdot.xml");
Policy policy = Policy.getInstance(filename);
CleanResults results = _as.scan(txtInput.Text, policy);

And here is an example of using both the clean HTML and the error messages:

lblOutput.Text = results.getCleanHTML();
string s = "";
for (int i = 0; i < results.getErrorMessages().Count; i++)
{
s += results.getErrorMessages()[i].ToString() + "";
}
lblErrors.Text = s;

== Limitations ==

No CSS support has been included yet in AntiSamy .NET. It will be added hopefully within the next few months. With the default stylesheet, style tags are not allowed and are stripped out, as is the style attribute.

== Contacting us ==

=== OWASP AntiSamy mailing list ===

=== Emailing the project lead ===

=== Issue tracking ===

Category:OWASP AntiSamy Project .NET

2008-07-30T06:17:55Z

Jerryhoff: /* Installing */

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template AntiSamy Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template AntiSamy Project}}
[[Category:OWASP Project]]

[[Category:OWASP_AntiSamy_Project]]

== What is AntiSamy .NET? ==

The OWASP AntiSamy .NET project is a few things. Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc. that gets persisted on the server. The term malicious code in terms of web applications is usually regarded only as JavaScript. Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner.

Philosophically, AntiSamy .NET is a departure from all contemporary security mechanisms. Generally, the security mechanism and user have a communication that is virtually one way, for good reason. Letting the potential attacker know details about the validation is considered unwise as it allows the attacker to "learn" and "recon" the mechanism for weaknesses. These types of information leaks can also hurt in ways you don't expect. A login mechanism that tells the user, "Username invalid" leaks the fact that a user by that name does not exist. A user could use a dictionary or phone book or both to remotely come up with a list of valid usernames. Using this information, an attacker could launch a brute force attack or massive account lock denial-of-service. So, we get that.

Unfortunately, that's just not very usable in this situation. Typical Internet users are largely ineffective when it comes to writing HTML/CSS, so where do they get their HTML from? Usually they copy it from somewhere out on the web. Simply rejecting their input without any clue as to why is jolting and annoying. Annoyed users go somewhere else to do their social networking.

Socioeconomically, AntiSamy .NET is a have-not enabler. Private companies like Google, MySpace, eBay, etc. have come up with proprietary solutions for solving this problem. This introduces two problems. One is that proprietary solutions are not usually all that good, and even if they are, well - naturally they're reluctant to share this hard-earned IP for free. Fortunately, we just don't care. We don't see any reason why only these private companies should have this functionality, so we are releasing this for free.

The [http://www.owasp.org/index.php/OWASP_Licenses OWASP licensing policy] (further explained in the [http://www.owasp.org/index.php/Membership membership FAQ]) allows OWASP projects to be released under any [http://www.opensource.org/licenses/alphabetical approved open source license]. Under these guidelines, AntiSamy .NET is distributed under a [http://www.opensource.org/licenses/bsd-license.php BSD license].

== Getting Started ==

There's 4 steps in the process of integrating AntiSamy. Each step is detailed in the next section, but the high level overview follows:

#. Download AntiSamy from its home on Google Code
#. Choose one of the standard policy files that matches as close to the functionality you need:
*. antisamy-slashdot.xml
*. (more to come in the near future)
#. Tailor the policy file according to your site's rules
#. Call the API from the code

=== Downloading ===

Currently, you can download the code using SVN from [http://code.google.com/p/owaspantisamy/source/browse/#svn/trunk/dotNet AntiSamy .NET Google Code SVN]

In the future the source code and the compiled .dll can be found at [http://code.google.com/p/owaspantisamy/downloads/list Google Code]

=== Installing ===

There is no installation needed to get AntiSamy .NET to run. Simply reference the .dll in your code, make sure the dependencies are present, and you are good to go.

Currently, there is only one dependency, HtmlAgilityPack.dll. To run the unit tests, you will also need:
#nunit.core.dll
#nunit.core.interfaces.dll
#nunit.framework.dll

=== Tailoring the policy file ===

Smaller organizations may want to deploy AntiSamy in a default configuration, but it's equally likely that a site may want to have strict, business-driven rules for what users can allow. The discussion that decides the tailoring should also consider attack surface - which grows in relative proportion to the policy file.

=== Running ===

Using AntiSamy is abnormally easy. Here is an example of invoking AntiSamy with a policy file:

AntiSamy _as = new AntiSamy();
string filename = Server.MapPath("./properties/antisamy-slashdot.xml");
Policy policy = Policy.getInstance(filename);
CleanResults results = _as.scan(txtInput.Text, policy);

And here is an example of using both the clean HTML and the error messages:

lblOutput.Text = results.getCleanHTML();
string s = "";
for (int i = 0; i < results.getErrorMessages().Count; i++)
{
s += results.getErrorMessages()[i].ToString() + "";
}
lblErrors.Text = s;

== Contacting us ==

=== OWASP AntiSamy mailing list ===

=== Emailing the project lead ===

=== Issue tracking ===

Category:OWASP AntiSamy Project .NET

2008-07-30T06:15:28Z

Jerryhoff: /* Downloading */

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template AntiSamy Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template AntiSamy Project}}
[[Category:OWASP Project]]

[[Category:OWASP_AntiSamy_Project]]

== What is AntiSamy .NET? ==

The OWASP AntiSamy .NET project is a few things. Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc. that gets persisted on the server. The term malicious code in terms of web applications is usually regarded only as JavaScript. Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner.

Philosophically, AntiSamy .NET is a departure from all contemporary security mechanisms. Generally, the security mechanism and user have a communication that is virtually one way, for good reason. Letting the potential attacker know details about the validation is considered unwise as it allows the attacker to "learn" and "recon" the mechanism for weaknesses. These types of information leaks can also hurt in ways you don't expect. A login mechanism that tells the user, "Username invalid" leaks the fact that a user by that name does not exist. A user could use a dictionary or phone book or both to remotely come up with a list of valid usernames. Using this information, an attacker could launch a brute force attack or massive account lock denial-of-service. So, we get that.

Unfortunately, that's just not very usable in this situation. Typical Internet users are largely ineffective when it comes to writing HTML/CSS, so where do they get their HTML from? Usually they copy it from somewhere out on the web. Simply rejecting their input without any clue as to why is jolting and annoying. Annoyed users go somewhere else to do their social networking.

Socioeconomically, AntiSamy .NET is a have-not enabler. Private companies like Google, MySpace, eBay, etc. have come up with proprietary solutions for solving this problem. This introduces two problems. One is that proprietary solutions are not usually all that good, and even if they are, well - naturally they're reluctant to share this hard-earned IP for free. Fortunately, we just don't care. We don't see any reason why only these private companies should have this functionality, so we are releasing this for free.

The [http://www.owasp.org/index.php/OWASP_Licenses OWASP licensing policy] (further explained in the [http://www.owasp.org/index.php/Membership membership FAQ]) allows OWASP projects to be released under any [http://www.opensource.org/licenses/alphabetical approved open source license]. Under these guidelines, AntiSamy .NET is distributed under a [http://www.opensource.org/licenses/bsd-license.php BSD license].

== Getting Started ==

There's 4 steps in the process of integrating AntiSamy. Each step is detailed in the next section, but the high level overview follows:

#. Download AntiSamy from its home on Google Code
#. Choose one of the standard policy files that matches as close to the functionality you need:
*. antisamy-slashdot.xml
*. (more to come in the near future)
#. Tailor the policy file according to your site's rules
#. Call the API from the code

=== Downloading ===

Currently, you can download the code using SVN from [http://code.google.com/p/owaspantisamy/source/browse/#svn/trunk/dotNet AntiSamy .NET Google Code SVN]

In the future the source code and the compiled .dll can be found at [http://code.google.com/p/owaspantisamy/downloads/list Google Code]

=== Installing ===

There is no installation needed to get AntiSamy .NET to run. Simply reference the .dll in your code, make sure the dependencies are present, and you are good to go.

=== Tailoring the policy file ===

Smaller organizations may want to deploy AntiSamy in a default configuration, but it's equally likely that a site may want to have strict, business-driven rules for what users can allow. The discussion that decides the tailoring should also consider attack surface - which grows in relative proportion to the policy file.

=== Running ===

Using AntiSamy is abnormally easy. Here is an example of invoking AntiSamy with a policy file:

AntiSamy _as = new AntiSamy();
string filename = Server.MapPath("./properties/antisamy-slashdot.xml");
Policy policy = Policy.getInstance(filename);
CleanResults results = _as.scan(txtInput.Text, policy);

And here is an example of using both the clean HTML and the error messages:

lblOutput.Text = results.getCleanHTML();
string s = "";
for (int i = 0; i < results.getErrorMessages().Count; i++)
{
s += results.getErrorMessages()[i].ToString() + "";
}
lblErrors.Text = s;

== Contacting us ==

=== OWASP AntiSamy mailing list ===

=== Emailing the project lead ===

=== Issue tracking ===

Category:OWASP AntiSamy Project .NET

2008-07-30T06:14:01Z

Jerryhoff: /* Tailoring the policy file */

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template AntiSamy Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template AntiSamy Project}}
[[Category:OWASP Project]]

[[Category:OWASP_AntiSamy_Project]]

== What is AntiSamy .NET? ==

The OWASP AntiSamy .NET project is a few things. Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc. that gets persisted on the server. The term malicious code in terms of web applications is usually regarded only as JavaScript. Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner.

Philosophically, AntiSamy .NET is a departure from all contemporary security mechanisms. Generally, the security mechanism and user have a communication that is virtually one way, for good reason. Letting the potential attacker know details about the validation is considered unwise as it allows the attacker to "learn" and "recon" the mechanism for weaknesses. These types of information leaks can also hurt in ways you don't expect. A login mechanism that tells the user, "Username invalid" leaks the fact that a user by that name does not exist. A user could use a dictionary or phone book or both to remotely come up with a list of valid usernames. Using this information, an attacker could launch a brute force attack or massive account lock denial-of-service. So, we get that.

Unfortunately, that's just not very usable in this situation. Typical Internet users are largely ineffective when it comes to writing HTML/CSS, so where do they get their HTML from? Usually they copy it from somewhere out on the web. Simply rejecting their input without any clue as to why is jolting and annoying. Annoyed users go somewhere else to do their social networking.

Socioeconomically, AntiSamy .NET is a have-not enabler. Private companies like Google, MySpace, eBay, etc. have come up with proprietary solutions for solving this problem. This introduces two problems. One is that proprietary solutions are not usually all that good, and even if they are, well - naturally they're reluctant to share this hard-earned IP for free. Fortunately, we just don't care. We don't see any reason why only these private companies should have this functionality, so we are releasing this for free.

The [http://www.owasp.org/index.php/OWASP_Licenses OWASP licensing policy] (further explained in the [http://www.owasp.org/index.php/Membership membership FAQ]) allows OWASP projects to be released under any [http://www.opensource.org/licenses/alphabetical approved open source license]. Under these guidelines, AntiSamy .NET is distributed under a [http://www.opensource.org/licenses/bsd-license.php BSD license].

== Getting Started ==

There's 4 steps in the process of integrating AntiSamy. Each step is detailed in the next section, but the high level overview follows:

#. Download AntiSamy from its home on Google Code
#. Choose one of the standard policy files that matches as close to the functionality you need:
*. antisamy-slashdot.xml
*. (more to come in the near future)
#. Tailor the policy file according to your site's rules
#. Call the API from the code

=== Downloading ===

The source code and the compiled .dll can be found at [http://code.google.com/p/owaspantisamy/downloads/list Google Code]

=== Installing ===

There is no installation needed to get AntiSamy .NET to run. Simply reference the .dll in your code, make sure the dependencies are present, and you are good to go.

=== Tailoring the policy file ===

Smaller organizations may want to deploy AntiSamy in a default configuration, but it's equally likely that a site may want to have strict, business-driven rules for what users can allow. The discussion that decides the tailoring should also consider attack surface - which grows in relative proportion to the policy file.

=== Running ===

Using AntiSamy is abnormally easy. Here is an example of invoking AntiSamy with a policy file:

AntiSamy _as = new AntiSamy();
string filename = Server.MapPath("./properties/antisamy-slashdot.xml");
Policy policy = Policy.getInstance(filename);
CleanResults results = _as.scan(txtInput.Text, policy);

And here is an example of using both the clean HTML and the error messages:

lblOutput.Text = results.getCleanHTML();
string s = "";
for (int i = 0; i < results.getErrorMessages().Count; i++)
{
s += results.getErrorMessages()[i].ToString() + "";
}
lblErrors.Text = s;

== Contacting us ==

=== OWASP AntiSamy mailing list ===

=== Emailing the project lead ===

=== Issue tracking ===

Category:OWASP AntiSamy Project .NET

2008-07-30T06:13:30Z

Jerryhoff: /* Installing */

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template AntiSamy Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template AntiSamy Project}}
[[Category:OWASP Project]]

[[Category:OWASP_AntiSamy_Project]]

== What is AntiSamy .NET? ==

The OWASP AntiSamy .NET project is a few things. Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc. that gets persisted on the server. The term malicious code in terms of web applications is usually regarded only as JavaScript. Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner.

Philosophically, AntiSamy .NET is a departure from all contemporary security mechanisms. Generally, the security mechanism and user have a communication that is virtually one way, for good reason. Letting the potential attacker know details about the validation is considered unwise as it allows the attacker to "learn" and "recon" the mechanism for weaknesses. These types of information leaks can also hurt in ways you don't expect. A login mechanism that tells the user, "Username invalid" leaks the fact that a user by that name does not exist. A user could use a dictionary or phone book or both to remotely come up with a list of valid usernames. Using this information, an attacker could launch a brute force attack or massive account lock denial-of-service. So, we get that.

Unfortunately, that's just not very usable in this situation. Typical Internet users are largely ineffective when it comes to writing HTML/CSS, so where do they get their HTML from? Usually they copy it from somewhere out on the web. Simply rejecting their input without any clue as to why is jolting and annoying. Annoyed users go somewhere else to do their social networking.

Socioeconomically, AntiSamy .NET is a have-not enabler. Private companies like Google, MySpace, eBay, etc. have come up with proprietary solutions for solving this problem. This introduces two problems. One is that proprietary solutions are not usually all that good, and even if they are, well - naturally they're reluctant to share this hard-earned IP for free. Fortunately, we just don't care. We don't see any reason why only these private companies should have this functionality, so we are releasing this for free.

The [http://www.owasp.org/index.php/OWASP_Licenses OWASP licensing policy] (further explained in the [http://www.owasp.org/index.php/Membership membership FAQ]) allows OWASP projects to be released under any [http://www.opensource.org/licenses/alphabetical approved open source license]. Under these guidelines, AntiSamy .NET is distributed under a [http://www.opensource.org/licenses/bsd-license.php BSD license].

== Getting Started ==

There's 4 steps in the process of integrating AntiSamy. Each step is detailed in the next section, but the high level overview follows:

#. Download AntiSamy from its home on Google Code
#. Choose one of the standard policy files that matches as close to the functionality you need:
*. antisamy-slashdot.xml
*. (more to come in the near future)
#. Tailor the policy file according to your site's rules
#. Call the API from the code

=== Downloading ===

The source code and the compiled .dll can be found at [http://code.google.com/p/owaspantisamy/downloads/list Google Code]

=== Installing ===

There is no installation needed to get AntiSamy .NET to run. Simply reference the .dll in your code, make sure the dependencies are present, and you are good to go.

=== Tailoring the policy file ===

=== Running ===

Using AntiSamy is abnormally easy. Here is an example of invoking AntiSamy with a policy file:

AntiSamy _as = new AntiSamy();
string filename = Server.MapPath("./properties/antisamy-slashdot.xml");
Policy policy = Policy.getInstance(filename);
CleanResults results = _as.scan(txtInput.Text, policy);

And here is an example of using both the clean HTML and the error messages:

lblOutput.Text = results.getCleanHTML();
string s = "";
for (int i = 0; i < results.getErrorMessages().Count; i++)
{
s += results.getErrorMessages()[i].ToString() + "";
}
lblErrors.Text = s;

== Contacting us ==

=== OWASP AntiSamy mailing list ===

=== Emailing the project lead ===

=== Issue tracking ===

Category:OWASP AntiSamy Project .NET

2008-07-30T06:12:22Z

Jerryhoff: /* Downloading */

Category:OWASP AntiSamy Project .NET

2008-07-30T06:10:35Z

Jerryhoff: /* Running */

Category:OWASP AntiSamy Project .NET

2008-07-30T06:09:12Z

Jerryhoff: /* Running */

Category:OWASP AntiSamy Project .NET

2008-07-30T06:09:00Z

Jerryhoff: /* Running */

Category:OWASP AntiSamy Project .NET

2008-07-30T06:08:39Z

Jerryhoff: /* Running */

Category:OWASP AntiSamy Project .NET

2008-07-30T05:49:44Z

Jerryhoff: /* Getting Started */

Category:OWASP AntiSamy Project .NET

2008-07-30T05:49:16Z

Jerryhoff: /* Getting Started */

Category:OWASP AntiSamy Project .NET

2008-07-30T05:49:01Z

Jerryhoff: /* Getting Started */

Category:OWASP AntiSamy Project .NET

2008-07-30T05:48:44Z

Jerryhoff: /* Getting Started */

Category:OWASP AntiSamy Project .NET

2008-07-30T05:48:05Z

Jerryhoff: /* Getting Started */

Category:OWASP AntiSamy Project .NET

2008-07-30T05:47:38Z

Jerryhoff: /* Getting Started */

Category:OWASP AntiSamy Project .NET

2008-07-30T05:45:18Z

Jerryhoff: /* Getting Started */

Category:OWASP AntiSamy Project .NET

2008-07-30T05:44:38Z

Jerryhoff: /* Getting Started */

Category:OWASP AntiSamy Project .NET

2008-07-30T05:42:39Z

Jerryhoff: /* Capabilities */

Category:OWASP AntiSamy Project .NET

2008-07-30T05:41:57Z

Jerryhoff: /* What is AntiSamy .NET? */

Category:OWASP AntiSamy Project .NET

2008-07-30T05:40:10Z

Jerryhoff: /* What is AntiSamy .NET? */

Category:OWASP AntiSamy Project .NET

2008-07-30T05:39:25Z

Jerryhoff: /* What is AntiSamy .NET? */