You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Radu Cotescu (JIRA)" <ji...@apache.org> on 2016/01/21 18:21:39 UTC
[jira] [Resolved] (SLING-5445) XSSAPI#encodeForJSString is too
restrictive
[ https://issues.apache.org/jira/browse/SLING-5445?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Radu Cotescu resolved SLING-5445.
---------------------------------
Resolution: Fixed
Fixed in [r1726027|https://svn.apache.org/r1726027].
> XSSAPI#encodeForJSString is too restrictive
> -------------------------------------------
>
> Key: SLING-5445
> URL: https://issues.apache.org/jira/browse/SLING-5445
> Project: Sling
> Issue Type: Bug
> Components: Extensions
> Affects Versions: XSS Protection API 1.0.6
> Reporter: Radu Cotescu
> Assignee: Radu Cotescu
> Fix For: XSS Protection API 1.0.8
>
>
> For the cases when somebody tries to sanitise JSON strings the {{XSSAPI#encodeForJSString}} current implementation is too restrictive.
> Assuming one would want to sanitize {{2016-01-21T15:40:30}}, the output of the {{XSSAPI#encodeForJSString}} would be
> {noformat}
> 2016\-01\-21T15:40:30
> {noformat}
> which although is a valid String for JavaScript code is not a valid one for JSON.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)