You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Radu Cotescu (Jira)" <ji...@apache.org> on 2019/11/20 09:16:00 UTC

[jira] [Created] (SLING-8851) Skip namespace mangling

Radu Cotescu created SLING-8851:
-----------------------------------

             Summary: Skip namespace mangling
                 Key: SLING-8851
                 URL: https://issues.apache.org/jira/browse/SLING-8851
             Project: Sling
          Issue Type: Improvement
          Components: XSS Protection API
            Reporter: Radu Cotescu
            Assignee: Radu Cotescu
             Fix For: XSS Protection API 2.1.18


Historically, Sling needed to escape JCR namespaces from URL paths, since the ":" character posed a problem for older browsers. However, RFC 3986 [0] allows the colon in path segments and all current browsers don't have an issue with this for years.

The XSSAPI implementation currently present in Sling attempts to mangle JCR namespaces, but without any knowledge of the actual registered namespaces. Given that colon is not really a problem any more and that resource paths should anyways be passed through the {{org.apache.sling.api.resource.ResourceResolver#map(java.lang.String)}} API before being exposed as URLs, the code that attempts to perform mangling in the {{XSSAPI#getValidHref}} implementation should be removed.

For more details consult the dev list [1]. 

[0] - https://tools.ietf.org/html/rfc3986
[1] - https://s.apache.org/4ga5i



--
This message was sent by Atlassian Jira
(v8.3.4#803005)