Antisamy

This project is a port of the java AntiSamy project to the ruby runtime. Its intended to provide a library for developers to add protection to their web applications from malicious user-supplier HTML and CSS. Please check out the AntiSamy project over at OWASP.

TODO

  • At some point support CSS3

Synopsis

require ‘antisamy’ policy = AntiSamy.policy(‘antisamy.xml’) tainted_html = ‘User supplied markup’ scan_results = AntiSamy.scan(tainted_html,policy) clean_html = scan_results.clean_html

Example Policies

Please check policy-examples for sample policy files.

Contributing to antisamy

  • Check out the latest master to make sure the feature hasn’t been implemented or the bug hasn’t been fixed yet

  • Check out the issue tracker to make sure someone already hasn’t requested it and/or contributed it

  • Fork the project

  • Start a feature/bugfix branch

  • Commit and push until you are happy with your contribution

  • Make sure to add tests for it. This is important so I don’t break it in a future version unintentionally.

  • Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.

csspool

We use a forked version of csspool 0.2.6 within antysamy, you can find the license for csspool in the rsac directory. csspool was re-namespaced to avoid any conflicts and updated for 1.9.2 ruby compatabilty

Copyright © 2011 Sal Scotto. See LICENSE.txt for further details.