I’m happy to say that the OWASP AntiSamy 1.1 Java API is officially out! Thanks to everyone on the OWASP AntiSamy mailing list for helping me get a better API out the door. There were really only 5-6 changes worth getting excited about. Here are the highlights:

  •  Removed accidentally included internal Sun JRE classes (com.sun.*) and replaced with Xerces classes. this fixes the NoClassDefFound error you’d encounter on non-sun JREs (like in IBM WebSphere)
  • Re-factored code to remove reliance on setUserData() method to allow the code to run in Java 1.4
  • Escaped ‘#’ in onsiteURI regular expressions to address a known bug in the JVM which interpreted the hash mark as  a comment character inside of character class definitions, e.g. [0-9A-Z,/#]. This flaw allowed disallowed protocol URLs (credits to Richard Rodger of Ricebridge Software for discovering this)
  • Changed code comment accidentally crediting HTMLCleaner with the cleaning – should be NekoHTML!
  • Also, we’ve got the JavaDocs online at Google!

The API is in a good place, and it’s getting the attention of a lot of people. I said from the beginning that if 10 people found AntiSamy useful I’d consider it a success. Considering the thousands of times AntiSamy materials have been downloaded, I really couldn’t be happier about how things have turned out.

However, I don’t want stay in just the Java world. Early goals for AntiSamy included getting a .NET and PHP version ready by Spring 2008 – that’s still very possible, but not without help. Luckily, it appears that the Stas Malyshev from the Zend group (think OWASP Incorporated, mega-focused on PHP) is looking to start the project. I planned to do the .NET version but I’ve been mega busy with other research. Hopefully I can find some OWASP Summer of Code money to get this done! Anybody from the OWASP .NET project feel like collaborating?