This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

SpoC 007 - OWASP The Anti-Samy Project - Progress Page

From OWASP
Revision as of 16:22, 4 August 2007 by Arshan (talk | contribs)

Jump to: navigation, search

Great strides have been made, and the scope of the project has expanded in some respects and been reduced in others. This is due to the inclusion of CSS as a source both valid formatting data and possible malicious code. Consider a user who is incapable of supplying JavaScript but who is capable of supplying CSS. A malicious user could create a div with a positive z-index that overlayed the entire original page in which the div resides. The user could then effect a phishing attack by making the div look like the login page of the container web site's login page.

Although I have gone through W3C's HTML 4.0 specifications and built a strong policy file that only accepts valid HTML, the file will not be complete until CSS can be validated appropriately. Jason Li has been enlisted to help tackle the problem of CSS, both in the XML policy file and in the application. This is essentially the only remaining engineering work, since the validator is already built.

Also, a technical paper (with academic undertones) has been written to justify and explain the position of the API. The paper will is essentially complete, but still awaits the inclusion of some performance testing results.

Overall, I'd say the project is 60% finished.