Published on March 11th, 2011 | by NJ Ouchn0
OWASP AntiSamy v1.4.4 released
The OWASP AntiSamy project (http://www.owasp.org/index.php/AntiSamy) is a collection of APIs for safely allowing users to supply their own HTML and CSS without exposing the site to XSS vulnerabilities.
The methodology of AntiSamy is unique in that it is built on a positive security model in both the format of the HTML document and the content within the document.
- Fixed error message not sanitizing CDATA payloads when encountered (should only concern you if you use error messages + exactly version 1.4.3)
- Tags that are allowed to be empty are no longer hardcoded and can be set in the policy file (), with a safe default list if none are provided
- Continued to try to make SAX and DOM version semantically if not literally identical output
- Added test cases to regression
- Fixed Julian Cohen’s privately reported stack exhaustion bug by applying a tree depth check (the max depth of a DOM tree is now 250)