You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Radu Cotescu (Jira)" <ji...@apache.org> on 2020/08/26 15:15:00 UTC

[jira] [Commented] (SLING-9694) XSSAPIImpl#getValidHref does not escape the ampersand character

    [ https://issues.apache.org/jira/browse/SLING-9694?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17185258#comment-17185258 ] 

Radu Cotescu commented on SLING-9694:
-------------------------------------

Copying the answer from SLING-9011:

I'm tempted to not pursue the fix here. The reason is that the newest version of the HTML standard does not enforce this rule any more and it was most probably based on the fact that most of the browsers are lenient and automatically correct the URLs they use when accessing the resources.

Section 12.1.2.3 [0] of the HTML standard mentions which characters are not allowed in an attribute value and the ampersand is not in this class. The standard does mention that ambiguous ampersands are not allowed, but these are defined as structures that look like a name character reference but are not one. Given the potential of introducing an incompatible change, I'm not sure if it would be really worth fixing this issue.

[0] - https://html.spec.whatwg.org/multipage/syntax.html#attributes-2

> XSSAPIImpl#getValidHref does not escape the ampersand character
> ---------------------------------------------------------------
>
>                 Key: SLING-9694
>                 URL: https://issues.apache.org/jira/browse/SLING-9694
>             Project: Sling
>          Issue Type: Bug
>          Components: XSS Protection API
>    Affects Versions: XSS Protection API 1.0.0, XSS Protection API 2.0.0, XSS Protection API 2.1.0, XSS Protection API 2.2.0, XSS Protection API Compat 1.1.0
>            Reporter: Radu Cotescu
>            Assignee: Radu Cotescu
>            Priority: Major
>             Fix For: XSS Protection API 2.2.8
>
>
> {{XSSAPIImpl#getValidHref}} does not escape the ampersand character, although the API's JavaDoc states that the method should "Sanitize a URL for writing as an HTML href or src attribute value".



--
This message was sent by Atlassian Jira
(v8.3.4#803005)