You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Robert Munteanu (Jira)" <ji...@apache.org> on 2022/01/07 08:25:00 UTC

[jira] [Commented] (SLING-10953) Update dependency Antisamy version from 1.5.10 to 1.6.4

    [ https://issues.apache.org/jira/browse/SLING-10953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17470414#comment-17470414 ] 

Robert Munteanu commented on SLING-10953:
-----------------------------------------

I have a draft PR at https://github.com/apache/sling-org-apache-sling-xss/pull/12 that currently fails since we the new AntiSamy version requests attributes that are not supported by Xalan (which we embed).

One workaround idea would be to try and provide a custom TransformerFactory, just for the Sling XSS bundle, that delegates to Xalan but ignores the attributes requested by AntiSamy.

> Update dependency Antisamy version from 1.5.10 to 1.6.4
> -------------------------------------------------------
>
>                 Key: SLING-10953
>                 URL: https://issues.apache.org/jira/browse/SLING-10953
>             Project: Sling
>          Issue Type: Improvement
>            Reporter: Tatyana Vogel
>            Priority: Major
>             Fix For: XSS Protection API 2.2.18
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> The latest version of AntiSamy is 1.6.4, see https://search.maven.org/search?q=g:org.owasp.antisamy%20AND%20a:antisamy . We should upgrade to that version, since we embed the AntiSamy bundle and there is no other way for consumers of the bundle to upgrade.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)