This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
AntiSamy Directives
From OWASP
This page explains the purpose of the "directives" in AntiSamy policy files, and what support they have in different versions.
| Directive |
Type |
Default Value (in Java) |
Supported in AntiSamy Java? |
Supported in AntiSamy .NET? |
|---|---|---|---|---|
| useXHTML When this feature is on, AntiSamy will output the sanitized data in XHTML format as opposed to just regular HTML. |
boolean |
false |
Yes |
No |
| omitXMLDeclaration When "useXHTML" is turned on, AntiSamy will automatically prepend the XML header. Enabling this feature will tell AntiSamy not to do that. |
boolean |
true |
Yes |
No |
| formatOutput When enabled, AntiSamy will automatically format the output according to some basic rules and indentation. Kind of like "pretty print." |
boolean |
true |
Yes |
No |
| maxInputSize This directive specifies the maximum size (in bytes) of user input before it's validated. |
integer |
100K |
Yes |
No |
| embedStyleSheets When the developer chooses to allow CSS, this directive will specify whether or not remote stylesheets found referenced in the user's input will be pulled down and embedded into the current user input. |
boolean |
false |
Yes |
No |
| maxStyleSheetImports This feature allows developers to specify how many remote stylesheets can be downloaded from any one input. |
integer | 1 | Yes | No |
| connectionTimeout When "embedStyleSheets" is enabled, this timeout value (in milliseconds) will be used when fetching the offsite resource in question. This should be used to prevent validation threads from blocking when connecting to 3rd party systems that may purposefully act really, really slowly. |
integer |
1K |
Yes |
No |
| preserveComments When enabled, AntiSamy will keep HTML comments supplied in the input. |
boolean |
false |
Yes |
No |
| nofollowAnchors When enabled, AntiSamy will append rel="nofollow" attributes to all anchor (<a>) tags supplied in the input. This is useful for telling search engines not to associate your site with sites that are under the control of your users. |
boolean |
false |
Yes |
No |
| validateParamAsEmbed When enabled, AntiSamy will treat attributes of <embed> tags in the policy the same as any <param> tags nested inside the the <embed>. This allows users to, according to policy, pass in data in either of those two methods with equal security. This is needed for sites that allow users to supply videos, etc. |
boolean |
false |
Yes |
No |
| preserveSpace When enabled, this feature is intended to preserve spaces as specified in the input without normalization. Right now it only works as according to this method. |
boolean | false | Yes | No |
