Some time ago, I received a security notification from Github regarding a vulnerability1 2 in Antisamy.
It took me a while to find out that it was a false positive.
But the issue in [1] did mention that Antisamy seems to be lacking a maintainer. A worthwhile replacement was suggested as being HTML Sanitizer3 5 6.
I started using the HTML Sanitizer in my project and I like it. The fact that I don't need an XML configuration file is a plus.
There's a StackOverflow answer on why and how of the two projects4.
Only thing missing are the policy configuration files from AntiSamy, which are not present in any way in HTML Sanitizer, so you either have to write your own or get them from here7.
The file is called HTMLSanitizerAntiSamyPolicy.java.
References
- [1] Github - Antisamy issues
- https://github.com/nahsra/antisamy/issues/32
- [2] CVE details - CVE-2018-1000643
- https://www.cvedetails.com/cve/CVE-2018-1000643/
- [3] OWASP Java HTML Sanitizer Project
- https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
- [4] Java: Owasp AntiSamy vs Owasp-java-html-sanitize
- https://stackoverflow.com/questions/28577738/java-owasp-antisamy-vs-owasp-java-html-sanitize/29259874
- [5] GitHub - OWASP/java-html-sanitizer
- https://github.com/OWASP/java-html-sanitizer
- [6] MailingList - HTML Sanitizer
- https://lists.owasp.org/pipermail/owasp-leaders/2011-March/004883.html
- [7] GitHub - ESAPI/esapi-java-legacy - New file to use Java HTML Sanitizer that implements old AntiSamy poli…
- https://github.com/ESAPI/esapi-java-legacy/commit/d48e5a6f07601322c44c113058526eb133b777a5#diff-72ca1caf39f169db1ab83d2af2ec6cc3l
No comments:
Post a Comment