antisamy parser force closing tag

Question

I use Antisamy for validating HTML. My policy allow iframes, like youtube videos. Problem is - if tag is empty(like this):

<iframe src="//www.youtube.com/embed/uswzriFIf_k?feature=player_detailpage" allowfullscreen></iframe>

than after cleaning it will be like this:

<iframe src="//www.youtube.com/embed/uswzriFIf_k?feature=player_detailpage" allowfullscreen/>

But it should have normal closing tag.

And this break all content on page after. I already set my directives to use most of HTML but not XML:

<directives>
    <directive name="omitXmlDeclaration" value="true"/>
    <directive name="omitDoctypeDeclaration" value="true"/>
    <directive name="maxInputSize" value="200000"/>
    <directive name="nofollowAnchors" value="true" />
    <directive name="validateParamAsEmbed" value="true" />
    <directive name="useXHTML" value="false"/>

    <directive name="embedStyleSheets" value="false"/> 
    <directive name="connectionTimeout" value="5000"/>
    <directive name="maxStyleSheetImports" value="3"/>
    <directive name="formatOutput" value="false"/>
</directives>

But this not help.

UPD: switching between parsers and playing with directives still did not give any results.

UPD2: this is part of my configuration, responsible for handling iframe tag:

    <tag name="iframe" action="validate">
        <attribute name="src">
            <regexp-list>
                <regexp name="youtube"/>
                <regexp name="slideshare"/>
            </regexp-list>
        </attribute>
        <attribute name="allowfullscreen">
             <regexp-list>
                 <regexp name="anything"/>
             </regexp-list>
        </attribute>
        <attribute name="scrolling">
            <regexp-list>
                <regexp name="anything"/>
            </regexp-list>
        </attribute>
        <attribute name="marginwidth">
            <regexp-list>
                <regexp name="anything"/>
            </regexp-list>
        </attribute>
        <attribute name="marginheight">
            <regexp-list>
                <regexp name="anything"/>
            </regexp-list>
        </attribute>
        <attribute name="frameborder">
            <regexp-list>
                <regexp name="anything"/>
            </regexp-list>
        </attribute>
        <attribute name="style"/>
    </tag>

Any idea?

Answer 1

Try this -

<tag name="iframe" action="validate"/>

And add a tag to this list -

<allowed-empty-tags>
   <literal-list>
      <literal value="iframe"/>
   </literal-list>
</allowed-empty-tags>

See http://code.google.com/p/owaspantisamy/...

Answer 2

I ran into the same issue. In my case it was due to the AntiSamy policy having this directive:

<directive name="useXHTML" value="true" /> 

Which, per the OWASP documentation, will output the sanitized data in XHTML format as opposed to just regular HTML. Please see: https://www.owasp.org/index.php/AntiSamy_Directives

Changing that value to false will allow the sanitized output to be provided as valid HTML. Block level elements will not be shortened and become invalid markup.