omg.wtf.bbq.

because arshan’s too cheap to license OneNote

Browsing Posts tagged antisamy

We’ve released another version of AntiSamy into Maven and on the main downloads page. In terms of the actual code changes, there are just a few things – it’s more of a directional change for our engine. Here’s the changelist: fixed error message not sanitizing CDATA payloads when encountered (should only concern you if you [...]

We released AntiSamy 1.4.2 a few days ago. This is a minor release with a lot of housecleaning behind it. The main purpose for the release was to address a vulnerability in the DOM engine discovered by Michael Kirchner, Barbara Schachner and Jan Wolff. The bypass is hilariously simple and incredibly frustrating: <![CDATA[]><script>alert(1)</script>]]> The new [...]

You may be thinking, “what the hell happened to 1.4?”¬† A few things. First, I had a baby. That was really hard. Then, we were trying to manage all the logistics of moving to a new project structure during our 1.4 release cycle and during that time we added some really important stuff. So, AntiSamy [...]

A colleague of mine, Jerry Hoff, was testing AntiSamy a while ago and he found an interesting technique he quite hilariously and tongue-in-cheekly called “formjacking.” Once we dissected the payload we found a very strange cross-browser behavior. I wanted to talk about it but never had a chance until now. It seems that FF3 and [...]

Go download! The changes: Fixed empty element “bug” (a <b/> causes the rest of the page to be bold cross-browser, wtf? more on this later) Fixed some bugs handling CSS colors, fonts and margins (negative margins not allowed and colors are now c14nized – thx to Jason Li and designbistro) Added a usable pom.xml (thx [...]

What a ridiculously fun but busy time for me. I’ve had the honor of beating up important applications at work, going to Blackhat, going on vacation in the beautiful OBX, and all the while pursuing lots of side projects during down time. Let’s catch up chronologically: 1. I taught an Advanced Web Application Penetration Testing [...]

I’m happy to say there’s a new version of AntiSamy out today! There were many more changes between 1.1 and 1.1.1 than there were from 1.0 to 1.1! And I’m thrilled about that, if that makes any sense – it means that usage really grew! Many international users made requests and e-mailed fixes to the [...]

I’m happy to say that the OWASP AntiSamy 1.1 Java API is officially out! Thanks to everyone on the OWASP AntiSamy mailing list for helping me get a better API out the door. There were really only 5-6 changes worth getting excited about. Here are the highlights: ¬†Removed accidentally included internal Sun JRE classes (com.sun.*) [...]