AntiSamy Directives

From OWASP
Revision as of 21:07, 19 October 2009 by Arshan (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This page explains the purpose of the "directives" in AntiSamy policy files, and what support they have in different versions.

Directive
Type
Default Value
(in Java)
Supported in AntiSamy Java?
Supported in AntiSamy .NET?
useXHTML
When this feature is on, AntiSamy will output the sanitized data in XHTML format as opposed to just regular HTML.
boolean
false
Yes
No
omitXMLDeclaration
When "useXHTML" is turned on, AntiSamy will automatically prepend the XML header. Enabling this feature will tell AntiSamy not to do that.
boolean
true
Yes
No
formatOutput
When enabled, AntiSamy will automatically format the output according to some basic rules and indentation. Kind of like "pretty print."
boolean
true
Yes
No
maxInputSize
This directive specifies the maximum size (in bytes) of user input before it's validated.
integer
100K
Yes
No
embedStyleSheets
When the developer chooses to allow CSS, this directive will specify whether or not remote stylesheets found referenced in the user's input will be pulled down and embedded into the current user input.
boolean
false
Yes
No
maxStyleSheetImports
This feature allows developers to specify how many remote stylesheets can be downloaded from any one input.
integer 1 Yes No
connectionTimeout
When "embedStyleSheets" is enabled, this timeout value (in milliseconds) will be used when fetching the offsite resource in question. This should be used to prevent validation threads from blocking when connecting to 3rd party systems that may purposefully act really, really slowly.
integer
1K
Yes
No
preserveComments
When enabled, AntiSamy will keep HTML comments supplied in the input.
boolean
false
Yes
No
nofollowAnchors
When enabled, AntiSamy will append rel="nofollow" attributes to all anchor (<a>) tags supplied in the input. This is useful for telling search engines not to associate your site with sites that are under the control of your users.
boolean
false
Yes
No
validateParamAsEmbed
When enabled, AntiSamy will treat attributes of <embed> tags in the policy the same as any <param> tags nested inside the the <embed>. This allows users to, according to policy, pass in data in either of those two methods with equal security. This is needed for sites that allow users to supply videos, etc.
boolean
false
Yes
No
preserveSpace
When enabled, this feature is intended to preserve spaces as specified in the input without normalization. Right now it only works as according to this method.
boolean false Yes No