You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Robert Munteanu (JIRA)" <ji...@apache.org> on 2016/08/04 08:44:20 UTC

[jira] [Resolved] (SLING-5946) XSSAPI#encodeForJSString is not restrictive enough

     [ https://issues.apache.org/jira/browse/SLING-5946?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robert Munteanu resolved SLING-5946.
------------------------------------
    Resolution: Fixed

Applied in https://svn.apache.org/r1755147, thanks for the contribution!

> XSSAPI#encodeForJSString is not restrictive enough
> --------------------------------------------------
>
>                 Key: SLING-5946
>                 URL: https://issues.apache.org/jira/browse/SLING-5946
>             Project: Sling
>          Issue Type: Bug
>          Components: Extensions
>    Affects Versions: XSS Protection API 1.0.8
>            Reporter: Vlad Bailescu
>            Assignee: Robert Munteanu
>             Fix For: XSS Protection API 1.0.10
>
>         Attachments: SLING_5946.patch
>
>
> Since SLING-5445, {{XSSAPI#encodeForJSString}} is no longer properly encoding {{</script>}} and {{<!--}}. We should revert to using OWASP {{Encode#forJavaScript}} and handle - characters correctly for JSON too, by replacing them with {{\u002D}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)