Category:OWASP AntiSamy Project .Java

= Building AntiSamy (Java) =

AntiSamy is extremely easy to build. In order to start playing with the source, follow these simple instructions.

How to get started
1. Install Eclipse IDE. Any version from 3.0 on should be fine. 2. Make sure the "Ant" plugin is installed. 3. Checkout the latest source from SVN. The instructions for how to do so are located on its home in Google Code. Mind what local directory you check out the HEAD revision to, as that will be needed later. Make sure you also select the "Java/current" directory so that you only get the Java version of AntiSamy! 4. Go to File->New->Java Project 5a. Under project name, enter "AntiSamy", or whatever you'd like. 5b. Under "Contents", choose the "Create project from existing source" radio button and enter the directory that you remembered from step 3. 6. Hit "Finish"

All the source should build automatically out of the box after the project is created. If "Build Automatically" is turned off, you may have to manually compile the source.

To generate the jar, javadocs, or other distributions, load the build.xml inside the project root into the Ant plugin and select your desired build target, such as "jar".

Building from Maven
It's also possible to build AntiSamy directly through Maven. The POM file is located http://code.google.com/p/owaspantisamy/source/browse/trunk/Java/current/pom.xml. There's also a source and binary snapshot at http://antisamy.happyfern.com/maven2-snapshot/. To generate a source JAR with (along with the binary) add the following snippet to the tag of the POM: (thanks to thiaghop!)

org.apache.maven.plugins maven-source-plugin LATEST attach-sources jar

Test Case Coverage
AntiSamy Java has a number of test cases which are broken down into essentially two categories. There are a number of XSS and presentation layer attacks in the first category which help developers make sure they don't introduce any vulnerabilities, and a number of test cases to confirm that previously reported issues no longer exist or have not been resurrected. They are labeled in AntiSamyTest.java (org.owasp.validator.html.test), which is available inside the Test source tree.

Depending on which version of NekoHTML is being used in the nightly build, you will either get 100% or just less in test case coverage. Details about the failing test cases (which are crashes from a 3rd party library) can be found in the Google Code issue tracker.

= Developing AntiSamy (Java) =

If you're interested in submitting patches, feel free to submit them to the Google Code issues page or e-mail them to the mailing list. There are a few principles we look at when considering patches to AntiSamy:

* security * performance * simplicity

There are about 7 contributors to the Java version, and we would appreciate as many as we can get!