Personally I think this is a fantastic project and something that could really take off usage wise - especially if versions are ported beyond Java to .Net and PHP. A lot of developers, who are aware of the dangers of XSS, are building more and more web applications that expect to take in dynamic user-supplied content (Web 2.0). This will give them an easy option to do so safely and securely. Excellent work Arshan!
Watch out for a new line of "Samy is my hero" / "Arshan is my nemesis" t-shirts
That kind of summarized the infosec culture doesn't it? :)
Maybe, but it's weird - I always thought of myself as the nemesis for different reasons. There should be a challenge on your site, who can summarize the infosec culture the bes t in 1 sentence. I want to have a while to think before I put in my entry. ;p
Sounds like something similar to PHPIDS (www.phpids.org). PHPIDS does not work like a filter, but it can inform the application about the performed attack. If PHPIDS starts claiming about something at - let's say - a specified level, you can drop the whole data/string/request/...
Alex: though some people may find that useful, this is nothing like that. Go check out the project - I need some smart PHP to help out!
You definitely got my interest, Arshan. Good job. I'm going to be keeping an eye on this for use at some of my SUN/CodeMagi projects once it reaches maturity. I also believe this as has the potential to reach widespread use. Most XSS guidelines I have read completely ignore the fact that many modern sites need to accept and *render* markup code provided my a user, safely. This is the first large OSS project to address this critical need. Schweet!
"The difference is there hasn’t been an alternative to rolling your own so far."
Actually, HTML Purifier (http://htmlpurifier.org/) has been in existance for a while now, and I don't know of anything that has managed to bypass it yet. But its for PHP, rather than Java.
kuza55, htmlpurifier? php security? *cough, cough*
Um, the greatest feature of AntiSammy is that it's for Java. PHP and security do not belong in the same sentence unless you are discussing just how in_secure PHP is at its core.
What about cross site scripting filtering for user HTML/CSS in classic ASP? Antisamy .NET and java can not be implemented there :(
Post a Comment