I’m releasing the OWASP AntiSamy project today. I have a host of early adopters from big name companies who are looking to integrate the solution, including Sun, eBay and more. While it’s really exciting that I’m getting some instant traction, I know there is a lot of work ahead. The framework is in place and the theoretical solution is now out there, but we need implementations in .NET and PHP as soon as humanly possible.
To download the code, the binaries, JavaDocs and all the normal distribution stuff, please visit the project page on Google Code. To test a live AntiSamy demo, visit my test page where you can attack a number of different policy files. There’s also a paper I wrote (PDF) which explains the design choices I made when building AntiSamy. It doubles as an academic overview of the framework. Finally, there’s the slides I presented at the OWASP & WASC Fall 2007 conference in San Jose. More on that in a future post.
Wider usage means more people looking at the problem and establishing more useful policy files. If you are interested in helping out, please let me know. I talked to a couple people at the conference from Zend and a few people from the Rails community that were interested, so I’m counting on those people to drop me a line. I plan on writing the .NET version since that’s a language that I know with at least a passing familiarity.
Like I wrote on RSnake’s site, I’m not just looking for ways to bypass the security filter. If you can find one, that’s great (sort of). I’m also looking for usability requests or suggestions. Throughout the development of AntiSamy I tried to imagine myself as the developer at MySpace faced with the Herculean task of only allowing non-malicious HTML/CSS. I figure if that guy can utilize the API in a usable way, then anyone can. Unfortunately, that guy probably killed himself a long time ago.