AntiSamy 1.0 Released - Protecting web applications from malicious HTML and CSS

Cross Site Scripting (XSS) is a major security issue facing developers who wish to allow their users to submit content containing HTML and CSS. A new project on OWASP known as the "AntiSamy" project, aims to offer a comprehensive, policy driven, API that validates and sanitizes input, as well as providing user feedback on the filtering process. The project's home page describes the API:

Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc. that gets persisted on the server. The term malicious code in terms of web applications is usually regarded only as JavaScript. Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner.

What sets this API apart, according to lead developer Arshan Dabirsiaghi, is its user friendly approach:

The methodology of AntiSamy is unique in that it is built on a positive security model in both the format of the HTML document and the content within the document. It's also unique in that it attempts to help the user tune their input to pass validation in a cooperative spirit, rather than treating users as potential attackers which is how all contemporary security mechanisms work.

In the paper "Towards Malicious Code Detection and Removal" (PDF), Dabirsiaghi describes the phases involved in the filtering process:

1. Pre-Processing. Use of NekoHTML to perform HTML Sanitization.
2. Processing. Tag/CSS Validation Rules are applied depth first using three processing modes - Filter, Truncate and Validate. Filter actions remove tags that are not allowed, but retains their content. Truncating removes forbidden tag attributes and child nodes. Validation involves matching rules in the policy file with tag/attribute combinations, ensuring only valid tags are permitted.
3. Remediation. If validation fails during processing, the policy file is consulted to determine how to handle the tag and its contents. Options include removing the tag and its content, filtering out the tag and leaving the content, and removing the attribute from the tag.

The first release includes of AntiSamy includes a Java implementation, with .Net and PHP versions available soon.

Integration into a Java application is simple:

import org.owasp.validator.html.*;

Policy policy = new Policy(POLICY_FILE_LOCATION);
AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(dirtyInput, policy);
MyUserDAO.storeUserProfile(cr.getCleanHTML()); // some custom function

The CleanResults class provides methods to access useful information about the filtering process:

• getErrorMessages() - a list of String error messages
• getCleanHTML() - the clean, safe HTML output
• getCleanXMLDocumentFragment() - the clean, safe XMLDocumentFragment which is reflected in
• getCleanHTML()
• getScanTime() - returns the scan time in seconds

Downloads of AntiSamy, available under a BSD style license, are available from the Google code project page.