Java: Owasp AntiSamy vs Owasp-java-html-sanitize

user2022068 picture user2022068 · Feb 18, 2015 · Viewed 7k times · Source

I am looking for html purifier library now. And I've found that there are two "owasp" library. First is https://code.google.com/p/owasp-java-html-sanitizer/ and the second is https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project.

My question is - what are pros and cons when comparing them.

Answer

Vojtech Ruzicka picture Vojtech Ruzicka · Mar 25, 2015

OWASP java html sanitizer is newer project than antisamy. Goals of these projects are the same - sanitizing HTML to prevent XSS and filter out other unwanted content. However their approach is different. Every approach has its tradeoffs so you should choose the solution depending on your requirements. In a nutshell html sanitizer is simpler to use and faster, on the other hand it is less flexible. However it should be good enough for most users. Note that antisamy can process not only html but also css.

Here is message from owasp mailing lists requesting creation of HTML sanitizer project, including list of some of its advantages and differences from antisamy.

I would like to start a new OWASP project that is very similar to AntiSamy.

I would like to call this project the "OWASP Java HTML Sanitizer" and have code available already at:

https://code.google.com/p/owasp-java-html-sanitizer/

This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization.

  1. This code provides 4X the speed of AntiSamy sanitization in DOM mode and 2X the speed of AntiSamy in SAX mode
  2. Very easy to use. It allows for simple programmatic POSITIVE policy configuration (see below). No XML config.
  3. It does not suffer from the various security flaws that the Niko HTML parser brought with it
  4. Actively maintained by myself and Mike Samuel from Google's AppSec team
  5. Already passing 80% of AntiSamy's unit tests plus many more.
  6. Only 3 dependent jar files
  7. This is a pure Java 6 project and does not support Java 5 or below ( Please note AntiSamy supports 1.4+ ).

We are currently at Alpha right now - but will be production ready and soon.

Sample programmatic policy example:

     // A VERY SIMPLE WHITELISTING POLICY
    final ImmutableSet<String> okTags = ImmutableSet.of(
        "a", "b", "br", "div", "i", "img", "input", "li",
        "ol", "p", "span", "ul");

    final ImmutableSet<String> okAttrs = ImmutableSet.of(
        "div", "checked", "class", "href", "id", "target", "title", "type");

What do you think? Is a little respectful competition a good thing?

  • Jim