when i call the api 'ESAPI.validator().getValidSafeHTML' with mixed encoding input, the mixed input willed be filtered.

[wangyun2018]

1.when i call the api "ESAPI.validator().getValidSafeHTML" with input is

"<html>
<table>
    <tbody>
    <tr>
        <td><p>\n This administrative email\n is being sent to you from Rockstar Games, 622 Broadway, NY, NY 10012. If
            you\n want the early word on all Rockstar game announcements, official launches,\n contests, special events,
            and more <a href=\"https://socialclub.rockstargames.com/settings/email?utm_source=Social%20Club&amp;utm_medium=Email&amp;utm_campaign=Administrative%20Emails&amp;utm_content=en\">subscribe\n
                to the Rockstar Games Mailing List</a>.<p>
        </td>
    </tr>
    </tbody>
</table>
</html>"

the result is
"<table> <tbody> <tr> <td><p> This administrative email is being sent to you from Rockstar Games, 622 Broadway, NY, NY 10012. If you want the early word on all Rockstar game announcements, official launches, contests, special events, and more subscribe to the Rockstar Games Mailing List.</p><p> </p></td> </tr> </tbody> </table>"

and the 'a' tag is missing.
2. i have set the 'a' tag in whiteList in antisamy.xml and set Encoder.AllowMixedEncoding=true
3. i want to know how to make the result contains 'a' tag

[xeno6696]

So first and foremost:  Your intended input isn't translating very well across email.  Could you drop it in a github gist or include the sample as a text attachment?  in my view here there is no "a" tag in the input to start with.

…

On 12/3/2021 1:28 AM, wangyun2018 wrote: 1.when i call the api "ESAPI.validator().getValidSafeHTML" with input is " \n This administrative email\n is being sent to you from Rockstar Games, 622 Broadway, NY, NY 10012. If you\n want the early word on all Rockstar game announcements, official launches,\n contests, special events, and more subscribe\n to the Rockstar Games Mailing List. " the result is " This administrative email is being sent to you from Rockstar Games, 622 Broadway, NY, NY 10012. If you want the early word on all Rockstar game announcements, official launches, contests, special events, and more subscribe to the Rockstar Games Mailing List. " and the 'a' tag is missing. 2. i have set the 'a' tag in whiteList in antisamy.xml and set Encoder.AllowMixedEncoding=true <url> 3. i want to know how to make the result contains 'a' tag — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#645>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACIQAQK6S4RXYQCYJ3FSLOTUPB5S7ANCNFSM5JJDSYEQ>. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[wangyun2018]

the input file is below

input.txt
and the result is below after calling ESAPI.validator().getValidSafeHTML

result.txt

and the 'a' tag is missing

[xeno6696]

oh wow... for some reason when this came in I completely missed this was github and thought it was hitting the main mailing list. My apologies. I'll try and reproduce.

[kwwall]

May want to try with the latest version of AntiSamy. There's been some updates in it that might fix the issue.

…

-kevin

On Tue, Dec 7, 2021, 10:04 PM Matt Seil ***@***.***> wrote: oh wow... for some reason when this came in I completely missed this was github and thought it was hitting the main mailing list. My apologies. I'll try and reproduce. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#645 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAO6PG25WIPVEYQAZUSZD7LUP3DLLANCNFSM5JJDSYEQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[simon0117]

@wangyun2018 did this get resolved? Can you provide the AntiSamy XML you are using? It does seem like an AntiSamy issue, not an ESAPI one. What is the reason to enable the strongly discouraged mixed encoding?

[xeno6696]

@wangyun2018 I'm in a mode where I can debug this, but I need the relevant antisamy configs to minimize the time it takes to match your config. I would understand that you wouldn't want to publish the entire whitelist, but at minimum I need those href tag configs.

By default ESAPI is configured like this:

		<tag name="a" action="validate">

			<attribute name="href" onInvalid="filterTag"/>
			<attribute name="nohref">
				<literal-list>
					<literal value="nohref"/>
					<literal value=""/>
				</literal-list>
			</attribute>
			<attribute name="rel">
				<literal-list>
					<literal value="nofollow"/>
				</literal-list>
			</attribute>
		</tag>

[kwwall]

@xeno6696 - Note: to test this in JUnit, you will have to create a custom AntiSamy XML policy file and drop it under 'src/test/resources' and load it with HTMLValidationRule.loadAntisamyPolicy("Name_of_your_policy_file") from your JUnit test. We already do that in 1 or 2 tests so you can follow them as an example.

[xeno6696]

Yeah I'm good: It's ready to go, I just need the proper inputs to see whether or not this is something I can help with.

I suspect it's AntiSamy as well but stranger things have happened.

[kwwall]

@xeno6696 - My guess, if it's not AntiSamy, it's one of the parsers that they are using. If the latter, it will not be fixed.

@wangyun2018 - Can you attach the AntiSamy XML policy file fragment that Matt asked for so we can try to get this wrapped up? Thanks!