Thursday, March 10, 2011

OWASP AntiSamy v.1.4.4 Released

The OWASP AntiSamy project is an API for safely allowing users to supply their own HTML and CSS without exposure to XSS vulnerabilities.

The biggest move of this release is to officially change the default parser/serializer from the DOM engine to the SAX engine. We’ve had two engines for the past few versions, but maintaining two engines concurrently is kinda crazy. The SAX version is twice as fast and much better on memory. Even though all of our test cases pass for both engines, I still anticipate some growing pains in the SAX version, which is why I think most critical applications should stick to 1.4.3 for now.

-fixed error message not sanitizing CDATA payloads when encountered (should only concern you if you use error messages + exactly version 1.4.3)
-tags that are allowed to be empty are no longer hardcoded and can be set in the policy file (), with a safe default list if none are provided
-continued to try to make SAX and DOM version semantically if not literally identical output
-added test cases to regression
-fixed Julian Cohen’s privately reported stack exhaustion bug by applying a tree depth check (the max depth of a DOM tree is now 250)
-no longer Java 1.4 compatible


No comments: