how to avoid commentary tags sanitizing?
59 views
Skip to first unread message
Vladimir
May 30, 2016, 1:06:30 PM5/30/16
to OWASP Java HTML Sanitizer Support
Is it possible to avoid sanitizing commentary tags <!-- some content --> ?
Thank you in advance for your response.
Thank you in advance for your response.
Mike Samuel
May 30, 2016, 1:09:02 PM5/30/16
to OWASP Java HTML Sanitizer Support
No. Conditional compilation comments can carry payloads. Comments are oft-used by obscure and poorly tested browser extensions so stripping them is the only safe option.
On May 30, 2016 1:06 PM, "Vladimir" <vladimir....@privatbank.ua> wrote:
Is it possible to avoid sanitizing commentary tags <!-- some content --> ?
Thank you in advance for your response.
--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Mike Samuel
Jun 17, 2016, 12:43:42 PM6/17/16
to ggoo...@gmail.com, OWASP Java HTML Sanitizer Support
It's definitely possible. It's a parsing problem that browsers can
already handle.
Without a grammar for the comment syntax, it would require reverse
engineering the conditional comment syntax. Even with a grammar, it
would probably double the size of the sanitizer.
I don't think it's worth the effort. This only has value on a
minority browser, and I doubt third parties are likely to organically
try using it in HTML that ends up being sanitized.
To be convinced that it's worth the effort I'd probably have to see a
use case for it.
On Fri, Jun 17, 2016 at 11:41 AM, <ggoo...@gmail.com> wrote:
> It would be nice to be able to evaluate the contents of a conditional
> comment, maybe using the HtmlSanitizer.Policy interface to validate the
> <!--[if (gte mso 9)|(IE)]> and then use the normal whitelist approach for
> validating the rest of the comment until the <![endif]-->. I'm not familiar
> enough with the sanitizer interfaces to know how easy this is to do today.
> If it is possible, please let me know.
>
> Thanks.
already handle.
Without a grammar for the comment syntax, it would require reverse
engineering the conditional comment syntax. Even with a grammar, it
would probably double the size of the sanitizer.
I don't think it's worth the effort. This only has value on a
minority browser, and I doubt third parties are likely to organically
try using it in HTML that ends up being sanitized.
To be convinced that it's worth the effort I'd probably have to see a
use case for it.
On Fri, Jun 17, 2016 at 11:41 AM, <ggoo...@gmail.com> wrote:
> It would be nice to be able to evaluate the contents of a conditional
> comment, maybe using the HtmlSanitizer.Policy interface to validate the
> <!--[if (gte mso 9)|(IE)]> and then use the normal whitelist approach for
> validating the rest of the comment until the <![endif]-->. I'm not familiar
> enough with the sanitizer interfaces to know how easy this is to do today.
> If it is possible, please let me know.
>
> Thanks.
ggoo...@gmail.com
Jun 23, 2016, 11:16:57 PM6/23/16
to OWASP Java HTML Sanitizer Support, mikes...@gmail.com
It would be nice to be able to evaluate the contents of a conditional comment, maybe using the HtmlSanitizer.Policy interface to validate the <!--[if (gte mso 9)|(IE)]> and then use the normal whitelist approach for validating the rest of the comment until the <![endif]-->. I'm not familiar enough with the sanitizer interfaces to know how easy this is to do today. If it is possible, please let me know.
Thanks.
On Monday, May 30, 2016 at 10:09:02 AM UTC-7, Mike Samuel wrote:
On Monday, May 30, 2016 at 10:09:02 AM UTC-7, Mike Samuel wrote:
No. Conditional compilation comments can carry payloads. Comments are oft-used by obscure and poorly tested browser extensions so stripping them is the only safe option.
On May 30, 2016 1:06 PM, "Vladimir" <vladimir....@privatbank.ua> wrote:
Is it possible to avoid sanitizing commentary tags <!-- some content --> ?--
Thank you in advance for your response.
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.
Jim Manico
Jun 27, 2016, 10:41:03 PM6/27/16
to owasp-java-html-...@googlegroups.com, mikes...@gmail.com
I think this is something we should not be supporting. No web WYSWIG tool that I know of adds comments. It seems like you're using this tool to validate full pages or something other than the use cases this tool was meant for.
I could be wrong.
If you feel it, would you care to give us more info as to •why• you need this feature?
Aloha,
Aloha,
--
Jim Manico
@Manicode
Secure Coding Education
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages