You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@sling.apache.org by ro...@apache.org on 2017/11/07 10:25:21 UTC

[sling-org-apache-sling-xss] annotated tag org.apache.sling.xss-1.0.12 created (now e087bb4)

This is an automated email from the ASF dual-hosted git repository.

rombert pushed a change to annotated tag org.apache.sling.xss-1.0.12
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git.


      at e087bb4  (tag)
 tagging 01daa6857d6767f6851262417b6f9f23f9c57232 (commit)
      by Bertrand Delacretaz
      on Fri Aug 12 08:13:30 2016 +0000

- Log -----------------------------------------------------------------
org.apache.sling.xss-1.0.12
-----------------------------------------------------------------------

This annotated tag includes the following new commits:

     new ce57411  SLING-4705 - Move the XSS Protection bundle from contrib to bundles
     new a1132dc  SLING-4525 - XSS protection path mangling issue
     new 7a68e9d  SLING-4557 - Add JSON and XML validation to the XSS Protection API
     new 20f10ec  Update svn:ignore
     new a860112  SLING-4584 - Performance: XSSAPI.getValidHref should not be based on HTML filtering
     new dc7f8be  Update to Sling Parent 23
     new 978acab  Remove superflous sling.java.version=6 as it's the default now
     new f889940  set parent version to 24 and add empty relativePath where missing
     new 54e898d  SLING-4403 - XSS Configuration should allow caption tags
     new b9c2df5  SLING-4584 - Performance: XSSAPI.getValidHref should not be based on HTML filtering
     new cb9c2a4  trivial: corrected JavaDoc for Java 1.8
     new f9008d3  trivial: updated README
     new b158317  [maven-release-plugin] prepare release org.apache.sling.xss-1.0.4
     new 8db0e9d  [maven-release-plugin] prepare for next development iteration
     new ee2a195  SLING-5050 - Disable AntiSamy's default formatOutput policy directive
     new d615480  Update the main reactor to parent 25
     new e511cf5  [maven-release-plugin] prepare release org.apache.sling.xss-1.0.6
     new 2ca29b7  [maven-release-plugin] prepare for next development iteration
     new d490141  Switch to parent pom 26
     new 58f95b8  SLING-5445 - XSSAPI#encodeForJSString is too restrictive
     new 9ad75d5  [maven-release-plugin] prepare release org.apache.sling.xss-1.0.8
     new 81b6a22  [maven-release-plugin] prepare for next development iteration
     new f9befd2  SLING-5761 - adding double validator
     new 90a82b3  SLING-5761 add Double XSS validator
     new 3dcd697  SLING-5946 - XSSAPI#encodeForJSString is not restrictive enough
     new 1e6db49  [maven-release-plugin] prepare release org.apache.sling.xss-1.0.10
     new fbce7ca  [maven-release-plugin] prepare for next development iteration
     new ff79a08  SLING-5954 - Disable non-essential features in XML parser
     new 0475ee4  [maven-release-plugin] prepare release org.apache.sling.xss-1.0.12
     new 01daa68  [maven-release-plugin] copy for tag org.apache.sling.xss-1.0.12

The 30 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


-- 
To stop receiving notification emails like this one, please contact
['"commits@sling.apache.org" <co...@sling.apache.org>'].

[sling-org-apache-sling-xss] 03/04: [maven-release-plugin] prepare release org.apache.sling.xss-1.0.12

Posted by ro...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.12
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git

commit 0475ee4199cdaa809af82184b8f608ea53dc587d
Author: Bertrand Delacretaz <bd...@apache.org>
AuthorDate: Fri Aug 12 08:13:16 2016 +0000

    [maven-release-plugin] prepare release org.apache.sling.xss-1.0.12
    
    git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss@1756115 13f79535-47bb-0310-9956-ffa450edef68
---
 pom.xml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pom.xml b/pom.xml
index 93d7bf2..c066f56 100644
--- a/pom.xml
+++ b/pom.xml
@@ -32,7 +32,7 @@
     <!-- ======================================================================= -->
     <artifactId>org.apache.sling.xss</artifactId>
     <packaging>bundle</packaging>
-    <version>1.0.11-SNAPSHOT</version>
+    <version>1.0.12</version>
 
     <name>Apache Sling XSS Protection Bundle</name>
     <description>
@@ -40,9 +40,9 @@
     </description>
 
     <scm>
-        <connection>scm:svn:http://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss</connection>
-        <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss</developerConnection>
-        <url>http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss</url>
+        <connection>scm:svn:http://svn.apache.org/repos/asf/sling/tags/org.apache.sling.xss-1.0.12</connection>
+        <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.xss-1.0.12</developerConnection>
+        <url>http://svn.apache.org/viewvc/sling/tags/org.apache.sling.xss-1.0.12</url>
     </scm>
 
 

-- 
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.

[sling-org-apache-sling-xss] 01/04: [maven-release-plugin] prepare for next development iteration

Posted by ro...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.12
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git

commit fbce7ca9ac57640faf44c50ca73694bfb5457908
Author: Robert Munteanu <ro...@apache.org>
AuthorDate: Thu Aug 4 09:00:40 2016 +0000

    [maven-release-plugin] prepare for next development iteration
    
    git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss@1755156 13f79535-47bb-0310-9956-ffa450edef68
---
 pom.xml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pom.xml b/pom.xml
index 533c95a..93d7bf2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -32,7 +32,7 @@
     <!-- ======================================================================= -->
     <artifactId>org.apache.sling.xss</artifactId>
     <packaging>bundle</packaging>
-    <version>1.0.10</version>
+    <version>1.0.11-SNAPSHOT</version>
 
     <name>Apache Sling XSS Protection Bundle</name>
     <description>
@@ -40,9 +40,9 @@
     </description>
 
     <scm>
-        <connection>scm:svn:http://svn.apache.org/repos/asf/sling/tags/org.apache.sling.xss-1.0.10</connection>
-        <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.xss-1.0.10</developerConnection>
-        <url>http://svn.apache.org/viewvc/sling/tags/org.apache.sling.xss-1.0.10</url>
+        <connection>scm:svn:http://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss</connection>
+        <developerConnection>scm:svn:https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss</developerConnection>
+        <url>http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss</url>
     </scm>
 
 

-- 
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.

[sling-org-apache-sling-xss] 04/04: [maven-release-plugin] copy for tag org.apache.sling.xss-1.0.12

Posted by ro...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.12
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git

commit 01daa6857d6767f6851262417b6f9f23f9c57232
Author: Bertrand Delacretaz <bd...@apache.org>
AuthorDate: Fri Aug 12 08:13:30 2016 +0000

    [maven-release-plugin] copy for tag org.apache.sling.xss-1.0.12
    
    git-svn-id: https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.xss-1.0.12@1756116 13f79535-47bb-0310-9956-ffa450edef68

-- 
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.

[sling-org-apache-sling-xss] 02/04: SLING-5954 - Disable non-essential features in XML parser

Posted by ro...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.12
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git

commit ff79a088b04bee828ee264dce7c05c171e4ddf5a
Author: Bertrand Delacretaz <bd...@apache.org>
AuthorDate: Wed Aug 10 09:57:15 2016 +0000

    SLING-5954 - Disable non-essential features in XML parser
    
    git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss@1755704 13f79535-47bb-0310-9956-ffa450edef68
---
 src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java     | 10 ++++++++++
 src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java |  4 ++++
 2 files changed, 14 insertions(+)

diff --git a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
index e0fc15f..b38fde6 100644
--- a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
+++ b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
@@ -21,6 +21,7 @@ import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 import javax.annotation.Nonnull;
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
 
@@ -43,6 +44,8 @@ import org.owasp.esapi.Validator;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.xml.sax.InputSource;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
 import org.xml.sax.XMLReader;
 
 @Component
@@ -65,6 +68,13 @@ public class XSSAPIImpl implements XSSAPI {
         factory = SAXParserFactory.newInstance();
         factory.setValidating(false);
         factory.setNamespaceAware(true);
+        try {
+            factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        } catch (Exception e) {
+            LOGGER.error("SAX parser configuration error: " + e.getMessage(), e);
+        }
     }
 
     @Deactivate
diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
index e6f3c87..263514e 100644
--- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
+++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
@@ -673,6 +673,10 @@ public class XSSAPIImplTest {
                 {
                         "<t><w>xyz</t></w>",
                         RUBBISH_XML
+                },
+                {
+                        "<?xml version=\"1.0\"?><!DOCTYPE test SYSTEM \"http://nonExistentHost:1234/\"><test/>",
+                        "<?xml version=\"1.0\"?><!DOCTYPE test SYSTEM \"http://nonExistentHost:1234/\"><test/>"
                 }
         };
         for (String[] aTestData : testData) {

-- 
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.