We released AntiSamy 1.4.2 a few days ago. This is a minor release with a lot of housecleaning behind it. The main purpose for the release was to address a vulnerability in the DOM engine discovered by Michael Kirchner, Barbara Schachner and Jan Wolff. The bypass is hilariously simple and incredibly frustrating:
The new SAX parser in AntiSamy was not vulnerable. But wait a minute, isn’t CDATA supposed to be inert? From Wikipedia:
In an XML document or external parsed entity, a CDATA section is a section of element content that is marked for the parser to interpret as only character data, not markup.
UPDATE: @Lever_One also points out that an invalid start sequence for CDATA was being honored in my library: <!CDATA[.
Here’s the changelist:
- Fixed a bug that caused some low range characters to go unencoded during serializiation (no bypass, but still a bug)
- Added the ability to nest policy files (policy A can include another policy file B)
- Some performance enhancements
- Added missing error messages in the SAX engine
There’s also some notable housekeeping for our users:
- This our last Java 1.4 release. Our next release will be Java 1.5 compliant, and probably will be for a few years.
- This is the last release where the DOM engine will be the default parsing engine. SAX is much faster and better on memory.
- AntiSamy has been moved into the Maven central repository, starting with this release (group ID = org.owasp.antisamy, parent group = org.owasp).
Big thanks to Jason Li for his continued assistance on the project and August Detlefsen for his help tracing down some bugs. Biggest props go to Chris Schmidt for refactoring the project in SVN and getting AntiSamy into Maven Central.
As always, feedback is greatly appreciated.