You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Vlad Bailescu (JIRA)" <ji...@apache.org> on 2016/08/03 14:41:20 UTC

[jira] [Created] (SLING-5946) XSSAPI#encodeForJSString is not restrictive enough

Vlad Bailescu created SLING-5946:
------------------------------------

             Summary: XSSAPI#encodeForJSString is not restrictive enough
                 Key: SLING-5946
                 URL: https://issues.apache.org/jira/browse/SLING-5946
             Project: Sling
          Issue Type: Bug
          Components: Extensions
    Affects Versions: XSS Protection API 1.0.8
            Reporter: Vlad Bailescu
             Fix For: XSS Protection API 1.0.10


Since SLING-5445, {{XSSAPI#encodeForJSString}} is no longer properly encoding {{</script>}} and {{<!--}}. We should revert to using OWASP {{Encode#forJavaScript}} and handle {{-}} characters correctly for JSON too, by replacing them with {{\u002D}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)