You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Radu Cotescu (Jira)" <ji...@apache.org> on 2019/11/20 09:16:00 UTC
[jira] [Created] (SLING-8851) Skip namespace mangling
Radu Cotescu created SLING-8851:
-----------------------------------
Summary: Skip namespace mangling
Key: SLING-8851
URL: https://issues.apache.org/jira/browse/SLING-8851
Project: Sling
Issue Type: Improvement
Components: XSS Protection API
Reporter: Radu Cotescu
Assignee: Radu Cotescu
Fix For: XSS Protection API 2.1.18
Historically, Sling needed to escape JCR namespaces from URL paths, since the ":" character posed a problem for older browsers. However, RFC 3986 [0] allows the colon in path segments and all current browsers don't have an issue with this for years.
The XSSAPI implementation currently present in Sling attempts to mangle JCR namespaces, but without any knowledge of the actual registered namespaces. Given that colon is not really a problem any more and that resource paths should anyways be passed through the {{org.apache.sling.api.resource.ResourceResolver#map(java.lang.String)}} API before being exposed as URLs, the code that attempts to perform mangling in the {{XSSAPI#getValidHref}} implementation should be removed.
For more details consult the dev list [1].
[0] - https://tools.ietf.org/html/rfc3986
[1] - https://s.apache.org/4ga5i
--
This message was sent by Atlassian Jira
(v8.3.4#803005)