This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP AntiSamy Project"

From OWASP
Jump to: navigation, search
 
(36 intermediate revisions by 8 users not shown)
Line 1: Line 1:
== What is it? ==
+
{|
 +
|-
 +
! width="700" align="center" | <br>
 +
! width="500" align="center" | <br>
 +
|-
 +
| align="right" |
 +
| align="right" |
 +
|}
 +
=Main=
  
The OWASP AntiSamy project is a few things. Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc. that gets persisted on the server. The term malicious code in terms of web applications is usually regarded only as JavaScript. Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner.
+
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
  
Philosophically, AntiSamy is a departure from all contemporary security mechanisms. Generally, the security mechanism and user have a communication that is virtually one way, for good reason. Letting the potential attacker know details about the validation is considered unwise as it allows the attacker to "learn" and "recon" the mechanism for weaknesses. These types of information leaks can also hurt in ways you don't expect. A login mechanism that tells the user, "Username invalid" leaks the fact that a user by that name does not exist. A user could use a dictionary or phone book or both to remotely come up with a list of valid usernames. Using this information, an attacker could launch a brute force attack or massive account lock denial-of-service. So, we get that.
+
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 +
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
  
Unfortunately, that's just not very usable in this situation. Typical Internet users are largely ineffective when it comes to writing HTML/CSS, so where do they get their HTML from? Usually they copy it from somewhere out on the web. Simply rejecting their input without any clue as to why is jolting and annoying. Annoyed users go somewhere else to do their social networking.
+
==OWASP AntiSamy Project==
  
Socioeconomically, AntiSamy is a have-not enabler. Private companies like Google, MySpace, eBay, etc. have come up with proprietary solutions for solving this problem. This introduces two problems. One is that proprietary solutions are not usually all that good, and even if they are, well - naturally they're reluctant to share this hard-earned IP for free. Fortunately, we just don't care. We don't see any reason why only these private companies should have this functionality, so I'm releasing this for free.
+
OWASP AntiSamy is a library for HTML and CSS encoding.
 +
 
 +
==Introduction==
 +
 
 +
AntiSamy was originally authored by Arshan Dabirsiaghi (arshan.dabirsiaghi [at the] gmail.com) of Contrast Security with help from Jason Li (jason.li [at the] owasp.org) of Aspect Security (http://www.aspectsecurity.com/).
 +
 
 +
==Description==
 +
 
 +
The OWASP AntiSamy project is a few things. Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc., that get persisted on the server. The term "malicious code" in regards to web applications usually mean "JavaScript." Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner. So we take care of that too.
 +
 
 +
Philosophically, AntiSamy is a departure from contemporary security mechanisms. Generally, the security mechanism and user have a communication that is virtually one way, for good reason. Letting the potential attacker know details about the validation is considered unwise as it allows the attacker to "learn" and "recon" the mechanism for weaknesses. These types of information leaks can also hurt in ways you don't expect. A login mechanism that tells the user, "Username invalid" leaks the fact that a user by that name does not exist. A user could use a dictionary or phone book or both to remotely come up with a list of valid usernames. Using this information, an attacker could launch a brute force attack or massive account lock denial-of-service. We get that.
 +
 
 +
Unfortunately, that's just not very usable in this situation. Typical Internet users are largely pretty bad when it comes to writing HTML/CSS, so where do they get their HTML from? Usually they copy it from somewhere out on the web. Simply rejecting their input without any clue as to why is jolting and annoying. Annoyed users go somewhere else to do their social networking.
  
 
The [[OWASP_Licenses|OWASP licensing policy]] (further explained in the [[Membership|membership FAQ]]) allows OWASP projects to be released under any [http://www.opensource.org/licenses/alphabetical approved open source license]. Under these guidelines, AntiSamy is distributed under a [http://www.opensource.org/licenses/bsd-license.php BSD license].
 
The [[OWASP_Licenses|OWASP licensing policy]] (further explained in the [[Membership|membership FAQ]]) allows OWASP projects to be released under any [http://www.opensource.org/licenses/alphabetical approved open source license]. Under these guidelines, AntiSamy is distributed under a [http://www.opensource.org/licenses/bsd-license.php BSD license].
  
== Who are you? ==
 
  
AntiSamy was originally authored by Arshan Dabirsiaghi (arshan.dabirsiaghi [at the] gmail.com) with help from Jason Li (li.jason.c [at the] gmail.com), both of Aspect Security (http://www.aspectsecurity.com/). The problem AntiSamy solves was often described as "impossible" or "impossible to do right". The folks with the AntiSamy project hope to antiquate that idea in a hurry. As of now, there are Java and .NET implementations of AntiSamy, though the framework is implementable in any language. The Java version is callable from ColdFusion. [http://htmlpurifier.org/ HTMLPurifier], another free tool, is a PHP utility similar to AntiSamy and is our official suggestions for PHP. There has not been much interest in this project from the Rails community, so no implementation for Rails is being planned.
+
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 +
 
 +
== What is AntiSamy ==
  
== What's the difference between AntiSamy Java, .NET, etc.? ==
+
OWASP AntiSamy provides:
  
 
[[AntiSamy Version Differences|This page]] shows a big-picture comparison between the versions. Since it's an unfunded open source project, the ports can't be expected to mirror functionality exactly. If there's something a port is missing -- let us know, and we'll try to accommodate, or write a patch!   
 
[[AntiSamy Version Differences|This page]] shows a big-picture comparison between the versions. Since it's an unfunded open source project, the ports can't be expected to mirror functionality exactly. If there's something a port is missing -- let us know, and we'll try to accommodate, or write a patch!   
  
== How do I get started? ==
+
 
 +
== Presentations ==
 +
 
 +
From OWASP & WASC AppSec U.S. 2007 Conference (San Jose, CA): [http://www.owasp.org/images/e/e9/OWASP-WASCAppSec2007SanJose_AntiSamy.ppt AntiSamy - Picking a Fight with XSS (ppt)] - by Arshan Dabirsiaghi - AntiSamy project lead
 +
 
 +
From OWASP AppSec Europe 2008 (Ghent, Belgium): [http://www.owasp.org/images/4/47/AppSecEU08-AntiSamy.ppt The OWASP AntiSamy project (ppt)] - by Jason Li - AntiSamy project contributor
 +
 
 +
From OWASP AppSec India 2008 (Delhi, India): [https://www.owasp.org/images/9/9d/AppSecIN08-ValidatingRichUserContent.ppt Validating Rich User Content (ppt)] - by Jason Li - AntiSamy project contributor
 +
 
 +
From Shmoocon 2009 (Washington, DC): [http://www.shmoocon.org/2009/slides/OWASP%20Winter%202009%20Shmoocon%20-%20Anti%20Samy.pptx AntiSamy - Picking a Fight with XSS (pptx)] - by Arshan Dabirsiaghi - AntiSamy project lead
 +
 
 +
 
 +
== Project Leader ==
 +
 
 +
[mailto:[email protected] Arshan Dabirsiaghi]
 +
 
 +
 
 +
== Related Projects ==
 +
 
 +
== Ohloh ==
 +
 
 +
* https://www.ohloh.net/p/owaspantisamy
 +
 
 +
 
 +
| valign="top"  style="padding-left:25px;width:200px;" |
 +
 
 +
== News and Events ==
 +
* [26 Sep 2017] Please update AntiSamy to 1.5.5 or later per [https://nvd.nist.gov/vuln/detail/CVE-2016-10006 CVE-2016-10006]
 +
* [20 Nov 2013] News 2
 +
* [30 Sep 2013] News 1
 +
 
 +
== In Print ==
 +
This project can be purchased as a print on demand book from Lulu.com
 +
 
 +
 
 +
==Classifications==
 +
 
 +
  {| width="200" cellpadding="2"
 +
  |-
 +
  | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] 
 +
  |-
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Project_Type_Files_CODE.jpg|link=]]
 +
  |}
 +
 
 +
|}
 +
 
 +
= How do I get started? =
  
 
There's 4 steps in the process of integrating AntiSamy. Each step is detailed in the next section, but the high level overview follows:
 
There's 4 steps in the process of integrating AntiSamy. Each step is detailed in the next section, but the high level overview follows:
# Download AntiSamy from [http://code.google.com/p/owaspantisamy/downloads/list its home on Google Code]
+
# Download AntiSamy from Maven
 
# Choose one of the standard policy files that matches as close to the functionality you need:
 
# Choose one of the standard policy files that matches as close to the functionality you need:
#* antisamy-slashdot.xml
+
#* antisamy-tinymce-X.X.X.xml
#* antisamy-ebay.xml
+
#* antisamy-slashdot-X.X.X.xml
#* antisamy-myspace.xml
+
#* antisamy-ebay-X.X.X.xml
#* antisamy-anythinggoes.xml
+
#* antisamy-myspace-X.X.X.xml
 +
#* antisamy-anythinggoes-X.X.X.xml
 
# Tailor the policy file according to your site's rules
 
# Tailor the policy file according to your site's rules
 
# Call the API from the code
 
# Call the API from the code
Line 33: Line 107:
 
=== Stage 1 - Downloading AntiSamy ===
 
=== Stage 1 - Downloading AntiSamy ===
  
The following instructions are for AntiSamy Java, the main version. For instructions on the .NET version, see the .NET page.
+
First, add the dependency from Maven:
  
Which package you download depends largely on what you want to do with AntiSamy. If you'd like to extend it or review the code, download the source package. If you're looking to integrate AntiSamy, you can either '''download the antisamy-bin-X.X.X.jar''' (which, before version 1.2 was confusingly called "antisamy-standalone-X.X.X.jar"), which only contains AntiSamy library. This will be the preferred choice for mature enterprise environments who don't want to be caught in classpath issues which may be introduced by the current version.
+
<dependency>
 
+
  <groupId>org.owasp.antisamy</groupId>
The second option is '''downloading antisamy-standalone-X.X.X.jar''', which contains not only the AntiSamy code, but all necessary supporting libraries. This should only be used by applications that don't use the libraries AntiSamy ships with as they might introduce classpath and versioning issues.
+
  <projectId>antisamy</projectId>
 
+
</dependency>
For convenience, the download page also contains the necessary libraries for running AntiSamy in '''antisamy-required-libs.zip'''.
 
 
 
You can Download AntiSamy from [http://code.google.com/p/owaspantisamy/downloads/list its home on Google Code]
 
  
 
=== Stage 2 - Choosing a base policy file ===
 
=== Stage 2 - Choosing a base policy file ===
Line 52: Line 123:
  
 
Accordingly, we've built a policy file that allows fairly similar functionality. All text-formatting tags that operate directly on the font, color or emphasis have been allowed.  
 
Accordingly, we've built a policy file that allows fairly similar functionality. All text-formatting tags that operate directly on the font, color or emphasis have been allowed.  
 
 
  
 
2) antisamy-ebay.xml
 
2) antisamy-ebay.xml
  
 
eBay (http://www.ebay.com/) is the most popular online auction site in the universe, as far as I can tell. It is a public site so anyone is allowed to post listings with rich HTML content. It's not surprising that given the attractiveness of eBay as a target that it has been subject to a few complex XSS attacks. Listings are allowed to contain much more rich content than, say, Slashdot- so it's attack surface is considerably larger. The following tags appear to be accepted by eBay (they don't publish rules): <a>,...
 
eBay (http://www.ebay.com/) is the most popular online auction site in the universe, as far as I can tell. It is a public site so anyone is allowed to post listings with rich HTML content. It's not surprising that given the attractiveness of eBay as a target that it has been subject to a few complex XSS attacks. Listings are allowed to contain much more rich content than, say, Slashdot- so it's attack surface is considerably larger. The following tags appear to be accepted by eBay (they don't publish rules): <a>,...
 
 
  
 
3) antisamy-myspace.xml
 
3) antisamy-myspace.xml
  
MySpace (http://www.myspace.com/) is arguably the most popular social networking site today. Users are allowed to submit pretty much all HTML and CSS they want - as long as it doesn't contain JavaScript. MySpace is currently using a word blacklist to validate users' HTML, which is why they were subject to the infamous Samy worm (http://namb.la/). The Samy worm, which used fragmentation attacks combined with a word that should have been blacklisted (eval) - was the inspiration for the project.  
+
MySpace (http://www.myspace.com/) was, at the time this project was born, arguably the most popular social networking site today. Users were allowed to submit pretty much all HTML and CSS they want - as long as it doesn't contain JavaScript. MySpace was using a word blacklist to validate users' HTML, which is why they were subject to the infamous Samy worm (http://namb.la/). The Samy worm, which used fragmentation attacks combined with a word that should have been blacklisted (eval) - was the inspiration for the project.  
 
 
  
 
4) antisamy-anythinggoes.xml
 
4) antisamy-anythinggoes.xml
  
I don't know of a possible use case for this policy file. If you wanted to allow every single valid HTML and CSS element (but without JavaScript or blatant CSS-related phishing attacks), you can use this policy file. Not even MySpace is _this_ crazy. However, it does serve as a good reference because it contains base rules for every element, so you can use it as a knowledge base when using tailoring the other policy files.
+
I don't know of a possible use case for this policy file. If you wanted to allow every single valid HTML and CSS element (but without JavaScript or blatant CSS-related phishing attacks), you can use this policy file. Not even MySpace was _this_ crazy. However, it does serve as a good reference because it contains base rules for every element, so you can use it as a knowledge base when using tailoring the other policy files.
 
 
 
 
  
 
=== Stage 3 - Tailoring the policy file ===
 
=== Stage 3 - Tailoring the policy file ===
Line 80: Line 144:
 
=== Stage 4 - Calling the AntiSamy API ===
 
=== Stage 4 - Calling the AntiSamy API ===
  
Using AntiSamy is abnormally easy. Here is an example of invoking AntiSamy with a policy file:
+
Using AntiSamy is easy. Here is an example of invoking AntiSamy with a policy file:
  
<code><pre>import org.owasp.validator.html.*;
+
import org.owasp.validator.html.*;
 
+
Policy policy = Policy.getInstance(POLICY_FILE_LOCATION);
+
Policy policy = Policy.getInstance(POLICY_FILE_LOCATION);
 
+
AntiSamy as = new AntiSamy();
+
AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(dirtyInput, policy);
+
CleanResults cr = as.scan(dirtyInput, policy);
 
+
MyUserDAO.storeUserProfile(cr.getCleanHTML()); // some custom function
+
MyUserDAO.storeUserProfile(cr.getCleanHTML()); // some custom function
</pre></code>
 
  
 
There are a few ways to create a Policy object. The <code>getInstance()</code> method can take any of the following:
 
There are a few ways to create a Policy object. The <code>getInstance()</code> method can take any of the following:
Line 97: Line 160:
 
* an InputStream  
 
* an InputStream  
  
Policy files can also be referenced by filename by passing a second argument to the <code>AntiSamy:scan()</code> method as the following examples show.:
+
Policy files can also be referenced by filename by passing a second argument to the <code>AntiSamy:scan()</code> method as the following examples show:
  
<code><pre>AntiSamy as = new AntiSamy();
+
AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(dirtyInput, policyFilePath);</pre></code>
+
CleanResults cr = as.scan(dirtyInput, policyFilePath);</pre></code>
  
 
Finally, policy files can also be referenced by File objects directly in the second parameter:
 
Finally, policy files can also be referenced by File objects directly in the second parameter:
  
<code><pre>AntiSamy as = new AntiSamy();
+
AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(dirtyInput, new File(policyFilePath));</pre></code>
+
CleanResults cr = as.scan(dirtyInput, new File(policyFilePath));
  
=== Stage 4 - Analyzing CleanResults ===
+
=== Stage 5 - Analyzing CleanResults ===
  
 
The CleanResults object provides a lot of useful stuff.  
 
The CleanResults object provides a lot of useful stuff.  
Line 119: Line 182:
 
<code>getScanTime()</code> - returns the scan time in seconds
 
<code>getScanTime()</code> - returns the scan time in seconds
  
== Project roadmap ==
+
= Acknowledgements =
 +
== Contacting us ==
 +
There are two ways of getting information on AntiSamy. The mailing list, and contacting the project lead directly.
  
We have a number of milestones we'd like to accomplish with the help of the community. Hopefully we can allocate some funds for this in the OWASP Spring of Code 2008, but it is far too early to tell. In the meantime, this is a labor of love.
+
=== OWASP AntiSamy mailing list ===
 +
The first is the mailing list which is located at https://lists.owasp.org/mailman/listinfo/owasp-antisamy. The list was previously private and the archives have been cleared with the release of version 1.0. We encourage all prospective and current users and bored attackers to join in the conversation. We're happy to brainstorm attack scenarios, discuss regular expressions and help with integration.
  
=== .NET version ===
+
=== Emailing the project lead ===
The .NET version of AntiSamy is available now at the [[:Category:OWASP AntiSamy Project .NET|OWASP AntiSamy .NET]] page. The project was funded by a Summer of Code 2008 grant and was developed primarily by Jerry Hoff with oversight from Arshan Dabirsiaghi.
 
 
 
=== Python version ===
 
A beta Python version is currently being prototyped. As more information becomes available, we will post it here. If you are interesting in helping, please email me (arshan.dabirsiaghi [at the] gmail.com).
 
=== PHP version (no plans) ===
 
Although a PHP version was initially planned, we now suggest [http://htmlpurifier.org HTMLPurifier] for safe rich input validation for PHP applications.
 
  
== Presentations on AntiSamy ==
+
For content which is not appropriate for the public mailing list, you can alternatively contact the project lead, Arshan Dabirsiaghi, at [arshan.dabirsiaghi] at [contrastsecurity.com] or Dave Wichers at [dave.wichers] at [owasp.org].
  
From OWASP & WASC AppSec U.S. 2007 Conference (San Jose, CA): [http://www.owasp.org/images/e/e9/OWASP-WASCAppSec2007SanJose_AntiSamy.ppt AntiSamy - Picking a Fight with XSS (ppt)] - By Arshan Dabirsiaghi - AntiSamy project lead
+
=== Issue tracking ===
  
From OWASP AppSec Europe 2008 (Ghent, Belgium): [http://www.owasp.org/images/4/47/AppSecEU08-AntiSamy.ppt The OWASP AntiSamy project (ppt)] - By Jason Li - AntiSamy project contributor
+
Visit the [https://github.com/nahsra/antisamy/issues GitHub issue tracker].
  
From OWASP AppSec India 2008 (Delhi, India): [https://www.owasp.org/images/9/9d/AppSecIN08-ValidatingRichUserContent.ppt Validating Rich User Content (ppt)] - By Jason Li - AntiSamy project contributor
+
==Sponsors==
 
+
The AntiSamy project is sponsored by [https://www.contrastsecurity.com/ Contrast Security].
== Contacting us ==
 
There are two ways of getting information on AntiSamy. The mailing list, and contacting the project lead directly.
 
  
=== OWASP AntiSamy mailing list ===
+
The initial Java project was sponsored by the [[OWASP Spring Of Code 2007|OWASP Spring Of Code 2007]]. The .NET project was sponsored by the [[OWASP Summer of Code 2008]].
The first is the mailing list which is located at https://lists.owasp.org/mailman/listinfo/owasp-antisamy. The list was previously private and the archives have been cleared with the release of version 1.0. We encourage all prospective and current users and bored attackers to join in the conversation. We're happy to brainstorm attack scenarios, discuss regular expressions and help with integration.
 
  
=== Emailing the project lead ===
+
= Road Map =
 +
This section details the status of the various ports of AntiSamy.
  
For content which is not appropriate for the public mailing list, you can alternatively contact the project lead, Arshan Dabirsiaghi, at [arshan.dabirsiaghi] at [aspectsecurity.com] (s/ at the /@/).
+
=== Grails ===
 +
Daniel Bower created a [http://www.grails.org/plugin/sanitizer Grails plugin] for AntiSamy.
  
=== Issue tracking ===
+
=== .NET ===
 +
A .NET port of AntiSamy is available now at the [[:Category:OWASP AntiSamy Project .NET|OWASP AntiSamy .NET]] page. The project was funded by a Summer of Code 2008 grant and was developed by Jerry Hoff. However, this version of AntiSamy has not been updated in a while.
  
Visit the [http://code.google.com/p/owaspantisamy/issues/list Google Code issue tracker].
+
This port is no longer under active development, and is looking for a few good developers to help make it feature-synchronized with the Java version. If it doesn't suit your needs, consider Microsoft's [http://blogs.msdn.com/b/securitytools/archive/2009/09/01/html-sanitization-in-anti-xss-library.aspx AntiXSS] library.
  
== Sponsors ==
+
=== Python ===
 +
A port of AntiSamy to Python was attempted, but has been abandoned since 2010. Michael Coates suggests you check out project Bleach instead: https://pypi.org/project/bleach/
  
The initial Java project was sponsored by the [[OWASP Spring Of Code 2007|OWASP Spring Of Code 2007]]. The .NET project was sponsored by the [[OWASP Summer of Code 2008]]
+
=== PHP ===
 +
Although a PHP version was initially planned, we now suggest [http://htmlpurifier.org HTMLPurifier] for safe rich input validation for PHP applications.
  
 +
=Project About=
 
== Project's Assessment ==
 
== Project's Assessment ==
  
 
This project was assessed by [[:User:Jeff Williams|Jeff Williams]] and his evaluation can be seen [http://spreadsheets.google.com/ccc?key=pAX6n7m2zaTW-JtGBqixbTw '''here'''].
 
This project was assessed by [[:User:Jeff Williams|Jeff Williams]] and his evaluation can be seen [http://spreadsheets.google.com/ccc?key=pAX6n7m2zaTW-JtGBqixbTw '''here'''].
 +
 +
__NOTOC__ <headertabs />
  
 
[[Category:OWASP Project|AntiSamy Project]]
 
[[Category:OWASP Project|AntiSamy Project]]
Line 165: Line 230:
 
[[Category:OWASP Download]]
 
[[Category:OWASP Download]]
 
[[Category:OWASP Release Quality Tool]]
 
[[Category:OWASP Release Quality Tool]]
<math>Insert formula here</math>
+
 
 +
{{OWASP Builders}}

Latest revision as of 22:06, 13 May 2019



OWASP Project Header.jpg

OWASP AntiSamy Project

OWASP AntiSamy is a library for HTML and CSS encoding.

Introduction

AntiSamy was originally authored by Arshan Dabirsiaghi (arshan.dabirsiaghi [at the] gmail.com) of Contrast Security with help from Jason Li (jason.li [at the] owasp.org) of Aspect Security (http://www.aspectsecurity.com/).

Description

The OWASP AntiSamy project is a few things. Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc., that get persisted on the server. The term "malicious code" in regards to web applications usually mean "JavaScript." Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner. So we take care of that too.

Philosophically, AntiSamy is a departure from contemporary security mechanisms. Generally, the security mechanism and user have a communication that is virtually one way, for good reason. Letting the potential attacker know details about the validation is considered unwise as it allows the attacker to "learn" and "recon" the mechanism for weaknesses. These types of information leaks can also hurt in ways you don't expect. A login mechanism that tells the user, "Username invalid" leaks the fact that a user by that name does not exist. A user could use a dictionary or phone book or both to remotely come up with a list of valid usernames. Using this information, an attacker could launch a brute force attack or massive account lock denial-of-service. We get that.

Unfortunately, that's just not very usable in this situation. Typical Internet users are largely pretty bad when it comes to writing HTML/CSS, so where do they get their HTML from? Usually they copy it from somewhere out on the web. Simply rejecting their input without any clue as to why is jolting and annoying. Annoyed users go somewhere else to do their social networking.

The OWASP licensing policy (further explained in the membership FAQ) allows OWASP projects to be released under any approved open source license. Under these guidelines, AntiSamy is distributed under a BSD license.


What is AntiSamy

OWASP AntiSamy provides:

This page shows a big-picture comparison between the versions. Since it's an unfunded open source project, the ports can't be expected to mirror functionality exactly. If there's something a port is missing -- let us know, and we'll try to accommodate, or write a patch!


Presentations

From OWASP & WASC AppSec U.S. 2007 Conference (San Jose, CA): AntiSamy - Picking a Fight with XSS (ppt) - by Arshan Dabirsiaghi - AntiSamy project lead

From OWASP AppSec Europe 2008 (Ghent, Belgium): The OWASP AntiSamy project (ppt) - by Jason Li - AntiSamy project contributor

From OWASP AppSec India 2008 (Delhi, India): Validating Rich User Content (ppt) - by Jason Li - AntiSamy project contributor

From Shmoocon 2009 (Washington, DC): AntiSamy - Picking a Fight with XSS (pptx) - by Arshan Dabirsiaghi - AntiSamy project lead


Project Leader

Arshan Dabirsiaghi


Related Projects

Ohloh


News and Events

  • [26 Sep 2017] Please update AntiSamy to 1.5.5 or later per CVE-2016-10006
  • [20 Nov 2013] News 2
  • [30 Sep 2013] News 1

In Print

This project can be purchased as a print on demand book from Lulu.com


Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg

There's 4 steps in the process of integrating AntiSamy. Each step is detailed in the next section, but the high level overview follows:

  1. Download AntiSamy from Maven
  2. Choose one of the standard policy files that matches as close to the functionality you need:
    • antisamy-tinymce-X.X.X.xml
    • antisamy-slashdot-X.X.X.xml
    • antisamy-ebay-X.X.X.xml
    • antisamy-myspace-X.X.X.xml
    • antisamy-anythinggoes-X.X.X.xml
  3. Tailor the policy file according to your site's rules
  4. Call the API from the code

Stage 1 - Downloading AntiSamy

First, add the dependency from Maven:

<dependency>
  <groupId>org.owasp.antisamy</groupId>
  <projectId>antisamy</projectId>
</dependency>

Stage 2 - Choosing a base policy file

Chances are that your site's use case for AntiSamy is at least roughly comparable to one of the predefined policy files. They each represent a "typical" scenario for allowing users to provide HTML (and possibly CSS) formatting information. Let's look into the different policy files:

1) antisamy-slashdot.xml

Slashdot (http://www.slashdot.org/) is a techie news site that allows users to respond anonymously to news posts with very limited HTML markup. Now Slashdot is not only one of the coolest sites around, it's also one that's been subject to many different successful attacks. Even more unfortunate is the fact that most of the attacks led users to the infamous goatse.cx picture (please don't go look it up). The rules for Slashdot are fairly strict: users can only submit the following HTML tags and no CSS: <b>, <u>, <i>, <a>, <blockquote>.

Accordingly, we've built a policy file that allows fairly similar functionality. All text-formatting tags that operate directly on the font, color or emphasis have been allowed.

2) antisamy-ebay.xml

eBay (http://www.ebay.com/) is the most popular online auction site in the universe, as far as I can tell. It is a public site so anyone is allowed to post listings with rich HTML content. It's not surprising that given the attractiveness of eBay as a target that it has been subject to a few complex XSS attacks. Listings are allowed to contain much more rich content than, say, Slashdot- so it's attack surface is considerably larger. The following tags appear to be accepted by eBay (they don't publish rules): <a>,...

3) antisamy-myspace.xml

MySpace (http://www.myspace.com/) was, at the time this project was born, arguably the most popular social networking site today. Users were allowed to submit pretty much all HTML and CSS they want - as long as it doesn't contain JavaScript. MySpace was using a word blacklist to validate users' HTML, which is why they were subject to the infamous Samy worm (http://namb.la/). The Samy worm, which used fragmentation attacks combined with a word that should have been blacklisted (eval) - was the inspiration for the project.

4) antisamy-anythinggoes.xml

I don't know of a possible use case for this policy file. If you wanted to allow every single valid HTML and CSS element (but without JavaScript or blatant CSS-related phishing attacks), you can use this policy file. Not even MySpace was _this_ crazy. However, it does serve as a good reference because it contains base rules for every element, so you can use it as a knowledge base when using tailoring the other policy files.

Stage 3 - Tailoring the policy file

Smaller organizations may want to deploy AntiSamy in a default configuration, but it's equally likely that a site may want to have strict, business-driven rules for what users can allow. The discussion that decides the tailoring should also consider attack surface - which grows in relative proportion to the policy file.

You may also want to enable/modify some "directives", which are basically advanced user options. This page tells you what the directives are and which versions support them.

Stage 4 - Calling the AntiSamy API

Using AntiSamy is easy. Here is an example of invoking AntiSamy with a policy file:

import org.owasp.validator.html.*;

Policy policy = Policy.getInstance(POLICY_FILE_LOCATION);

AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(dirtyInput, policy);

MyUserDAO.storeUserProfile(cr.getCleanHTML()); // some custom function

There are a few ways to create a Policy object. The getInstance() method can take any of the following:

  • a String filename
  • a File object
  • an InputStream

Policy files can also be referenced by filename by passing a second argument to the AntiSamy:scan() method as the following examples show:

AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(dirtyInput, policyFilePath);</pre></code>

Finally, policy files can also be referenced by File objects directly in the second parameter:

AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(dirtyInput, new File(policyFilePath));

Stage 5 - Analyzing CleanResults

The CleanResults object provides a lot of useful stuff.

getErrorMessages() - a list of String error messages

getCleanHTML() - the clean, safe HTML output

getCleanXMLDocumentFragment() - the clean, safe XMLDocumentFragment which is reflected in getCleanHTML()

getScanTime() - returns the scan time in seconds

Contacting us

There are two ways of getting information on AntiSamy. The mailing list, and contacting the project lead directly.

OWASP AntiSamy mailing list

The first is the mailing list which is located at https://lists.owasp.org/mailman/listinfo/owasp-antisamy. The list was previously private and the archives have been cleared with the release of version 1.0. We encourage all prospective and current users and bored attackers to join in the conversation. We're happy to brainstorm attack scenarios, discuss regular expressions and help with integration.

Emailing the project lead

For content which is not appropriate for the public mailing list, you can alternatively contact the project lead, Arshan Dabirsiaghi, at [arshan.dabirsiaghi] at [contrastsecurity.com] or Dave Wichers at [dave.wichers] at [owasp.org].

Issue tracking

Visit the GitHub issue tracker.

Sponsors

The AntiSamy project is sponsored by Contrast Security.

The initial Java project was sponsored by the OWASP Spring Of Code 2007. The .NET project was sponsored by the OWASP Summer of Code 2008.

This section details the status of the various ports of AntiSamy.

Grails

Daniel Bower created a Grails plugin for AntiSamy.

.NET

A .NET port of AntiSamy is available now at the OWASP AntiSamy .NET page. The project was funded by a Summer of Code 2008 grant and was developed by Jerry Hoff. However, this version of AntiSamy has not been updated in a while.

This port is no longer under active development, and is looking for a few good developers to help make it feature-synchronized with the Java version. If it doesn't suit your needs, consider Microsoft's AntiXSS library.

Python

A port of AntiSamy to Python was attempted, but has been abandoned since 2010. Michael Coates suggests you check out project Bleach instead: https://pypi.org/project/bleach/

PHP

Although a PHP version was initially planned, we now suggest HTMLPurifier for safe rich input validation for PHP applications.

Project's Assessment

This project was assessed by Jeff Williams and his evaluation can be seen here.

This project is part of the OWASP Builders community.
Feel free to browse other projects within the Defenders, Builders, and Breakers communities.

Subcategories

This category has only the following subcategory.

O