[[Dashboard | << Back to Dashboard ]]

{| align="right"
| __TOC__
|}

= Exploring the AntiSamy Plugin =


== Overview ==
[http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project OWASP AntiSamy] Project that provides [http://en.wikipedia.org/wiki/Cross-site_scripting XSS] cleanup operations to ColdBox applications

== Custom Policies ==
The AntiSamy plugin comes with several boilerplate policies that you can use, but we recommend creating your own policy to match your requirements.  Once you do this, you can easily integrate it into the plugin in three steps:

# Create a policy file based on the ones shipped and store it wherever you like in your application.
# Create a custom setting in your application with the path to this custom file: '''AntiSamy_Custom_Policy'''

<source lang="coldfusion">
// custom settings
settings = {
	AntiSamy_Custom_Policy = expandPath("/#appMapping#/includes/MyAntiSamy.xml")		
};
</source>

3. You can now call the AntiSamy's ''HTMLSanitizer()'' method with '''custom''' as the policy to use.

<source lang="coldfusion">
clean = getPlugin("AntiSamy").HTMLSanitizer(rc.text,"custom");
</source>

== HtmlSanitizer ==
clean HTML from XSS scripts using the AntiSamy project. The available policies are antisamy, ebay,myspace or slashdot

=== Returns ===
* This function returns ''Any''


=== Arguments ===

{| cellpadding="5", class="tablelisting"
! '''Key''' !! '''Type'''  !! '''Required''' !! '''Default''' !! '''Description''' 
|-
| HtmlData || string || Yes || --- || The html text to sanitize
|-
| PolicyFile || string || No || myspace || Provide policy file to scan html. Available options are: '''antisamy, ebay, myspace, slashdot, custom'''
|-
| resultsObject || boolean || false || false || Return the cleaned HTML or the results object. By default it is the cleaned HTML
|}

=== Examples ===


<source lang="coldfusion">
// Clean a single variable
rc.cleanData = getPlugin("AntiSamy").HtmlSanitizer(rc.comments);
rc.cleanData = getPlugin("AntiSamy").HtmlSanitizer(rc.comments,"ebay");

// Clean the entire request collection
for(key in rc){
  if( isSimpleValue(rc[key]) ){
    rc[key] = getPlugin("AntiSamy").HtmlSanitizer(rc[key]);
  }
}

clean = getPlugin("AntiSamy").HTMLSanitizer(rc.text,"custom");

</source>

== Policies ==
The policies that we offer are all the [http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project#Stage_2_-_Choosing_a_base_policy_file policies] offered by the OWASP Antisamy project:

* Ebay
* SlashDot
* AntiSamy
* MySpace
* Custom (Only if you declare the '''AntiSamy_Custom_Policy''' setting)