I’m happy to say that the OWASP AntiSamy 1.1 Java API is officially out! Thanks to everyone on the OWASP AntiSamy mailing list for helping me get a better API out the door. There were really only 5-6 changes worth getting excited about. Here are the highlights:
- Removed accidentally included internal Sun JRE classes (com.sun.*) and replaced with Xerces classes. this fixes the NoClassDefFound error you’d encounter on non-sun JREs (like in IBM WebSphere)
- Re-factored code to remove reliance on setUserData() method to allow the code to run in Java 1.4
- Escaped ‘#’ in onsiteURI regular expressions to address a known bug in the JVM which interpreted the hash mark as a comment character inside of character class definitions, e.g. [0-9A-Z,/#]. This flaw allowed disallowed protocol URLs (credits to Richard Rodger of Ricebridge Software for discovering this)
- Changed code comment accidentally crediting HTMLCleaner with the cleaning – should be NekoHTML!
- Also, we’ve got the JavaDocs online at Google!
The API is in a good place, and it’s getting the attention of a lot of people. I said from the beginning that if 10 people found AntiSamy useful I’d consider it a success. Considering the thousands of times AntiSamy materials have been downloaded, I really couldn’t be happier about how things have turned out.
However, I don’t want stay in just the Java world. Early goals for AntiSamy included getting a .NET and PHP version ready by Spring 2008 – that’s still very possible, but not without help. Luckily, it appears that the Stas Malyshev from the Zend group (think OWASP Incorporated, mega-focused on PHP) is looking to start the project. I planned to do the .NET version but I’ve been mega busy with other research. Hopefully I can find some OWASP Summer of Code money to get this done! Anybody from the OWASP .NET project feel like collaborating?