Sunday, August 9, 2009

When to use OWASP AntiSamy?

OWASP AntiSamy is a software engineering tool that allows a programmer to verify user-driven HTML/CSS input against a whitelist policy to ensure that is does not contain XSS.

But when do you use it?

1) If you accept "normal text data" from a user, then
a) (input validation) Use the ESAPI validator for input valiation (functions OTHER than getValidSafeHTML)
b) (output encoding) Use the ESAPI encoding library for contextual output encoding when displaying dynamic data in a web browser
1. encodeForHTML
2. encodeForJavascript
3. encodeForHTMLEntity
4. encodeForCSS

2) If you accept HTML from a user, you need to use AntiSamy
a) (input validation) You must validate and CHANGE (make it safer) HTML that you accept from a user with AntiSamy (which can be called via ESAPI - getValidSafeHTML)
b) (output translation) You can optionally use AntySamy for output translation (it does not encode; it only makes HTML "safer")
1. This is crucial when you have legacy HTML in your data storage mechanism that may still contain XSS


Krishna Patury said...

Hi There,
Can we use Antisamy to do user input validation in ASP.Net applications? I am having to port over a classic ASP app which does not have any input validation to .Net. I already have regular expressions in place but the security team suggested using AntiSamy. However, it seems to me that AntiSamy is only for HTML/CSS validation and not for form input validations. Please advise.

Krishna Patury said...

Hi There,
Can we use AntiSamy to do user input validation , say information entered on a form? I am porting over a classic ASP application which does not have any input validation so far, to .Net. I have written regular expressions to do the validation, but the security team suggested using AntiSamy. From what I can understand though, it seems that AntiSamy can be used only for HTML and CSS validation. Please advise.

Jim Manico said...

AntiSamy is a HTML validation tool used to remove XSS from untrusted HTML, like when a user submits TinyMCE data to the server. It might not be the best tool for what you need.

For ASP.NET, you need to use the AntiXSS library to protect your ASP.NET application from XSS.

Here is a good blog post on this:

Also consider Troy Hunts work on secure ASP.NET coding:

Krishna Patury said...

Thank you!

Jim Manico said...

And for this use case, I no longer recommend AntiSamy. I now suggest the following for HTML Sanitization.