Category:OWASP AntiSamy Project

There's 4 steps in the process of integrating AntiSamy. Each step is detailed in the next section, but the high level overview follows:

1. Download AntiSamy from Maven
2. Choose one of the standard policy files that matches as close to the functionality you need:
   • antisamy-tinymce-X.X.X.xml
   • antisamy-slashdot-X.X.X.xml
   • antisamy-ebay-X.X.X.xml
   • antisamy-myspace-X.X.X.xml
   • antisamy-anythinggoes-X.X.X.xml
3. Tailor the policy file according to your site's rules
4. Call the API from the code

Stage 1 - Downloading AntiSamy

First, add the dependency from Maven:

<dependency>
  <groupId>org.owasp.antisamy</groupId>
  <projectId>antisamy</projectId>
</dependency>

Stage 2 - Choosing a base policy file

Chances are that your site's use case for AntiSamy is at least roughly comparable to one of the predefined policy files. They each represent a "typical" scenario for allowing users to provide HTML (and possibly CSS) formatting information. Let's look into the different policy files:

1) antisamy-slashdot.xml

Slashdot (http://www.slashdot.org/) is a techie news site that allows users to respond anonymously to news posts with very limited HTML markup. Now Slashdot is not only one of the coolest sites around, it's also one that's been subject to many different successful attacks. Even more unfortunate is the fact that most of the attacks led users to the infamous goatse.cx picture (please don't go look it up). The rules for Slashdot are fairly strict: users can only submit the following HTML tags and no CSS: <b>, <u>, <i>, <a>, <blockquote>.

Accordingly, we've built a policy file that allows fairly similar functionality. All text-formatting tags that operate directly on the font, color or emphasis have been allowed.

2) antisamy-ebay.xml

eBay (http://www.ebay.com/) is the most popular online auction site in the universe, as far as I can tell. It is a public site so anyone is allowed to post listings with rich HTML content. It's not surprising that given the attractiveness of eBay as a target that it has been subject to a few complex XSS attacks. Listings are allowed to contain much more rich content than, say, Slashdot- so it's attack surface is considerably larger. The following tags appear to be accepted by eBay (they don't publish rules): <a>,...

3) antisamy-myspace.xml

MySpace (http://www.myspace.com/) was, at the time this project was born, arguably the most popular social networking site today. Users were allowed to submit pretty much all HTML and CSS they want - as long as it doesn't contain JavaScript. MySpace was using a word blacklist to validate users' HTML, which is why they were subject to the infamous Samy worm (http://namb.la/). The Samy worm, which used fragmentation attacks combined with a word that should have been blacklisted (eval) - was the inspiration for the project.

4) antisamy-anythinggoes.xml

I don't know of a possible use case for this policy file. If you wanted to allow every single valid HTML and CSS element (but without JavaScript or blatant CSS-related phishing attacks), you can use this policy file. Not even MySpace was _this_ crazy. However, it does serve as a good reference because it contains base rules for every element, so you can use it as a knowledge base when using tailoring the other policy files.

Stage 3 - Tailoring the policy file

Smaller organizations may want to deploy AntiSamy in a default configuration, but it's equally likely that a site may want to have strict, business-driven rules for what users can allow. The discussion that decides the tailoring should also consider attack surface - which grows in relative proportion to the policy file.

You may also want to enable/modify some "directives", which are basically advanced user options. This page tells you what the directives are and which versions support them.

Stage 4 - Calling the AntiSamy API

Using AntiSamy is easy. Here is an example of invoking AntiSamy with a policy file:

import org.owasp.validator.html.*;

Policy policy = Policy.getInstance(POLICY_FILE_LOCATION);

AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(dirtyInput, policy);

MyUserDAO.storeUserProfile(cr.getCleanHTML()); // some custom function

There are a few ways to create a Policy object. The getInstance() method can take any of the following:

• a String filename
• a File object
• an InputStream

Policy files can also be referenced by filename by passing a second argument to the AntiSamy:scan() method as the following examples show:

AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(dirtyInput, policyFilePath);</pre></code>

Finally, policy files can also be referenced by File objects directly in the second parameter:

AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(dirtyInput, new File(policyFilePath));

Stage 5 - Analyzing CleanResults

The CleanResults object provides a lot of useful stuff.

getErrorMessages() - a list of String error messages

getCleanHTML() - the clean, safe HTML output

getCleanXMLDocumentFragment() - the clean, safe XMLDocumentFragment which is reflected in getCleanHTML()

getScanTime() - returns the scan time in seconds

Contacting us

There are two ways of getting information on AntiSamy. The mailing list, and contacting the project lead directly.

OWASP AntiSamy mailing list

The first is the mailing list which is located at https://lists.owasp.org/mailman/listinfo/owasp-antisamy. The list was previously private and the archives have been cleared with the release of version 1.0. We encourage all prospective and current users and bored attackers to join in the conversation. We're happy to brainstorm attack scenarios, discuss regular expressions and help with integration.

Emailing the project lead

For content which is not appropriate for the public mailing list, you can alternatively contact the project lead, Arshan Dabirsiaghi, at [arshan.dabirsiaghi] at [contrastsecurity.com] or Dave Wichers at [dave.wichers] at [owasp.org].

Issue tracking

Visit the GitHub issue tracker.

Sponsors

The AntiSamy project is sponsored by Contrast Security.

The initial Java project was sponsored by the OWASP Spring Of Code 2007. The .NET project was sponsored by the OWASP Summer of Code 2008.

This section details the status of the various ports of AntiSamy.

Grails

Daniel Bower created a Grails plugin for AntiSamy.

.NET

A .NET port of AntiSamy is available now at the OWASP AntiSamy .NET page. The project was funded by a Summer of Code 2008 grant and was developed by Jerry Hoff. However, this version of AntiSamy has not been updated in a while.

This port is no longer under active development, and is looking for a few good developers to help make it feature-synchronized with the Java version. If it doesn't suit your needs, consider Microsoft's AntiXSS library.

Python

A port of AntiSamy to Python was attempted, but has been abandoned since 2010. Michael Coates suggests you check out project Bleach instead: https://pypi.org/project/bleach/

PHP

Although a PHP version was initially planned, we now suggest HTMLPurifier for safe rich input validation for PHP applications.

Project's Assessment

This project was assessed by Jeff Williams and his evaluation can be seen here.