I’m happy to say there’s a new version of AntiSamy out today! There were many more changes between 1.1 and 1.1.1 than there were from 1.0 to 1.1! And I’m thrilled about that, if that makes any sense – it means that usage really grew! Many international users made requests and e-mailed fixes to the mailing list. Also, some other folks expressed interest in figuring out better and more consistent HTML entity translation. Hopefully everyone will be happy as I feel like I’ve addressed almost all of the open issues and even included a few enhancements. In the future, if you find a problem, I suggest you email the mailing list to get my attention, but also fill out an issue on the project issues page. You can test out the 1.1.1 version on the AntiSamy test page.

Also, as of the new 1.1.1 version, AntiSamy is being shipped with the OWASP ESAPI project – ESAPI can officially do everything now! Anyway, it’s ready for download from the project page. Here’s the official changelist:

  • Began using (X)HTMLSerializer instead of XMLSerializer to recognize HTML entities
  • Removed any invalid XML characters before processing in order to avoid XML exceptions (thanks to Gareth Heyes, Michael Coates, et. al. who discovered independently)
  • Fixed code to remove any lingering Java 1.5 dependencies (for real this time)
  • Cleaned up AntiSamy() main method to be a little more organized
  • Fixed the “dangling quote” scenario which could cause XSS if a getCleanHTML() call ended up inside a textbox value attribute
  • Added *true* XHTML support with new directive in policy file (“useXHTML”
  • Introduced the ability to specify encoding for input and output (will still rely on you setting your page charsets appropriately though)
  • Made the policy files tolerant of non-latin characters for i18n support
  • Removed automatic HTML entity translation support (HTML entities are international, ASCII character code points (e.g.   ) aren’t)
  • Upgraded nekohtml to version 1.9.7
  • Upgraded Xerces to 2.9.1

Many thanks for all the help from those who spent their time since 1.1 making AntiSamy a better tool. I’d like to send extra special thanks to Joel Worral and Raziel Alvarez for their diligent research. I owe you guys much beer/wine/whatever you drink in your part of the world!