We released AntiSamy 1.4.2 a few days ago. This is a minor release with a lot of housecleaning behind it. The main purpose for the release was to address a vulnerability in the DOM engine discovered by Michael Kirchner, Barbara Schachner and Jan Wolff. The bypass is hilariously simple and incredibly frustrating:

<![CDATA[]><script>alert(1)</script>]]>

The new SAX parser in AntiSamy was not vulnerable. But wait a minute, isn’t CDATA supposed to be inert? From Wikipedia:

In an XML document or external parsed entity, a CDATA section is a section of element content that is marked for the parser to interpret as only character data, not markup.

Yet, if you execute the above HTML in IE8 or Chrome 5, the JavaScript fires. The browsers have left defenders no choice but to encode the contents of CDATA blocks, which utterly defeats the point of CDATA. I am a little afraid this will break some machine-generated XHTML, but 99% of users should experience zero side effects from this patch.

UPDATE: @Lever_One also points out that an invalid start sequence for CDATA was being honored in my library: <!CDATA[.

Here’s the changelist:

  • Fixed a bug that caused some low range characters to go unencoded during serializiation (no bypass, but still a bug)
  • Added the ability to nest policy files (policy A can include another policy file B)
  • Some performance enhancements
  • Added missing error messages in the SAX engine

There’s also some notable housekeeping for our users:

  • This our last Java 1.4 release. Our next release will be Java 1.5 compliant, and probably will be for a few years.
  • This is the last release where the DOM engine will be the default parsing engine. SAX is much faster and better on memory.
  • AntiSamy has been moved into the Maven central repository, starting with this release (group ID = org.owasp.antisamy, parent group = org.owasp).

Big thanks to Jason Li for his continued assistance on the project and August Detlefsen for his help tracing down some bugs. Biggest props go to Chris Schmidt for refactoring the project in SVN and getting AntiSamy into Maven Central.

All the binaries, source, JavaDocs, POM, etc. have been pushed to the Google Code downloads page. If you want to check signatures, you can download them directly from Maven Central.

As always, feedback is greatly appreciated.