You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2017/11/07 10:25:21 UTC
[sling-org-apache-sling-xss] annotated tag
org.apache.sling.xss-1.0.12 created (now e087bb4)
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a change to annotated tag org.apache.sling.xss-1.0.12
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git.
at e087bb4 (tag)
tagging 01daa6857d6767f6851262417b6f9f23f9c57232 (commit)
by Bertrand Delacretaz
on Fri Aug 12 08:13:30 2016 +0000
- Log -----------------------------------------------------------------
org.apache.sling.xss-1.0.12
-----------------------------------------------------------------------
This annotated tag includes the following new commits:
new ce57411 SLING-4705 - Move the XSS Protection bundle from contrib to bundles
new a1132dc SLING-4525 - XSS protection path mangling issue
new 7a68e9d SLING-4557 - Add JSON and XML validation to the XSS Protection API
new 20f10ec Update svn:ignore
new a860112 SLING-4584 - Performance: XSSAPI.getValidHref should not be based on HTML filtering
new dc7f8be Update to Sling Parent 23
new 978acab Remove superflous sling.java.version=6 as it's the default now
new f889940 set parent version to 24 and add empty relativePath where missing
new 54e898d SLING-4403 - XSS Configuration should allow caption tags
new b9c2df5 SLING-4584 - Performance: XSSAPI.getValidHref should not be based on HTML filtering
new cb9c2a4 trivial: corrected JavaDoc for Java 1.8
new f9008d3 trivial: updated README
new b158317 [maven-release-plugin] prepare release org.apache.sling.xss-1.0.4
new 8db0e9d [maven-release-plugin] prepare for next development iteration
new ee2a195 SLING-5050 - Disable AntiSamy's default formatOutput policy directive
new d615480 Update the main reactor to parent 25
new e511cf5 [maven-release-plugin] prepare release org.apache.sling.xss-1.0.6
new 2ca29b7 [maven-release-plugin] prepare for next development iteration
new d490141 Switch to parent pom 26
new 58f95b8 SLING-5445 - XSSAPI#encodeForJSString is too restrictive
new 9ad75d5 [maven-release-plugin] prepare release org.apache.sling.xss-1.0.8
new 81b6a22 [maven-release-plugin] prepare for next development iteration
new f9befd2 SLING-5761 - adding double validator
new 90a82b3 SLING-5761 add Double XSS validator
new 3dcd697 SLING-5946 - XSSAPI#encodeForJSString is not restrictive enough
new 1e6db49 [maven-release-plugin] prepare release org.apache.sling.xss-1.0.10
new fbce7ca [maven-release-plugin] prepare for next development iteration
new ff79a08 SLING-5954 - Disable non-essential features in XML parser
new 0475ee4 [maven-release-plugin] prepare release org.apache.sling.xss-1.0.12
new 01daa68 [maven-release-plugin] copy for tag org.apache.sling.xss-1.0.12
The 30 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
--
To stop receiving notification emails like this one, please contact
['"commits@sling.apache.org" <co...@sling.apache.org>'].
[sling-org-apache-sling-xss] 03/04: [maven-release-plugin] prepare
release org.apache.sling.xss-1.0.12
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.12
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit 0475ee4199cdaa809af82184b8f608ea53dc587d
Author: Bertrand Delacretaz <bd...@apache.org>
AuthorDate: Fri Aug 12 08:13:16 2016 +0000
[maven-release-plugin] prepare release org.apache.sling.xss-1.0.12
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss@1756115 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/pom.xml b/pom.xml
index 93d7bf2..c066f56 100644
--- a/pom.xml
+++ b/pom.xml
@@ -32,7 +32,7 @@
<!-- ======================================================================= -->
<artifactId>org.apache.sling.xss</artifactId>
<packaging>bundle</packaging>
- <version>1.0.11-SNAPSHOT</version>
+ <version>1.0.12</version>
<name>Apache Sling XSS Protection Bundle</name>
<description>
@@ -40,9 +40,9 @@
</description>
<scm>
- <connection>scm:svn:http://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss</connection>
- <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss</developerConnection>
- <url>http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss</url>
+ <connection>scm:svn:http://svn.apache.org/repos/asf/sling/tags/org.apache.sling.xss-1.0.12</connection>
+ <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.xss-1.0.12</developerConnection>
+ <url>http://svn.apache.org/viewvc/sling/tags/org.apache.sling.xss-1.0.12</url>
</scm>
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-xss] 01/04: [maven-release-plugin] prepare
for next development iteration
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.12
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit fbce7ca9ac57640faf44c50ca73694bfb5457908
Author: Robert Munteanu <ro...@apache.org>
AuthorDate: Thu Aug 4 09:00:40 2016 +0000
[maven-release-plugin] prepare for next development iteration
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss@1755156 13f79535-47bb-0310-9956-ffa450edef68
---
pom.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/pom.xml b/pom.xml
index 533c95a..93d7bf2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -32,7 +32,7 @@
<!-- ======================================================================= -->
<artifactId>org.apache.sling.xss</artifactId>
<packaging>bundle</packaging>
- <version>1.0.10</version>
+ <version>1.0.11-SNAPSHOT</version>
<name>Apache Sling XSS Protection Bundle</name>
<description>
@@ -40,9 +40,9 @@
</description>
<scm>
- <connection>scm:svn:http://svn.apache.org/repos/asf/sling/tags/org.apache.sling.xss-1.0.10</connection>
- <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.xss-1.0.10</developerConnection>
- <url>http://svn.apache.org/viewvc/sling/tags/org.apache.sling.xss-1.0.10</url>
+ <connection>scm:svn:http://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss</connection>
+ <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss</developerConnection>
+ <url>http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss</url>
</scm>
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-xss] 04/04: [maven-release-plugin] copy for
tag org.apache.sling.xss-1.0.12
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.12
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit 01daa6857d6767f6851262417b6f9f23f9c57232
Author: Bertrand Delacretaz <bd...@apache.org>
AuthorDate: Fri Aug 12 08:13:30 2016 +0000
[maven-release-plugin] copy for tag org.apache.sling.xss-1.0.12
git-svn-id: https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.xss-1.0.12@1756116 13f79535-47bb-0310-9956-ffa450edef68
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.
[sling-org-apache-sling-xss] 02/04: SLING-5954 - Disable
non-essential features in XML parser
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.12
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit ff79a088b04bee828ee264dce7c05c171e4ddf5a
Author: Bertrand Delacretaz <bd...@apache.org>
AuthorDate: Wed Aug 10 09:57:15 2016 +0000
SLING-5954 - Disable non-essential features in XML parser
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss@1755704 13f79535-47bb-0310-9956-ffa450edef68
---
src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java | 10 ++++++++++
src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java | 4 ++++
2 files changed, 14 insertions(+)
diff --git a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
index e0fc15f..b38fde6 100644
--- a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
+++ b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
@@ -21,6 +21,7 @@ import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.Nonnull;
+import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
@@ -43,6 +44,8 @@ import org.owasp.esapi.Validator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.InputSource;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
import org.xml.sax.XMLReader;
@Component
@@ -65,6 +68,13 @@ public class XSSAPIImpl implements XSSAPI {
factory = SAXParserFactory.newInstance();
factory.setValidating(false);
factory.setNamespaceAware(true);
+ try {
+ factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ } catch (Exception e) {
+ LOGGER.error("SAX parser configuration error: " + e.getMessage(), e);
+ }
}
@Deactivate
diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
index e6f3c87..263514e 100644
--- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
+++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
@@ -673,6 +673,10 @@ public class XSSAPIImplTest {
{
"<t><w>xyz</t></w>",
RUBBISH_XML
+ },
+ {
+ "<?xml version=\"1.0\"?><!DOCTYPE test SYSTEM \"http://nonExistentHost:1234/\"><test/>",
+ "<?xml version=\"1.0\"?><!DOCTYPE test SYSTEM \"http://nonExistentHost:1234/\"><test/>"
}
};
for (String[] aTestData : testData) {
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.