You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by Robert Munteanu <ro...@apache.org> on 2022/05/19 12:11:14 UTC

[RFC] Stop supporting embedded stylesheets in the Sling XSS bundle

Hi,

Our Sling XSS bundle uses AntiSamy for HTML sanitisation. There is an
effort to move over to the Java HTML cleaner [1]. Mapping out the
functionality currently supported revealead a feature that is IMO of
uncertain value.

When validating HTML, external stylesheets embedded in style tags are
loaded and inlined. For example, validating

---
<h1>Hello, world</h1>
<style type="text/css">
h1 { color: red }
@import "https://example.com/my-awesome-input.css"
</style>
---

Will access https://example.com/my-awesome-input.css, inline it in the
style tag, and validate it.

This functionality is disabled in the default configuration we ship
with Sling. I think this can have a stability and performance impact
when enabled and therefore I propose that we stop supporting it in the
future.

I would start with logging a WARN message when stylesheet embedding is
supported for the next patch version of the XSS bundle and then
removing the functionality in the next minor version.

Thoughts?

Thanks,
Robert


[1]: https://issues.apache.org/jira/browse/SLING-7231

Re: [RFC] Stop supporting embedded stylesheets in the Sling XSS bundle

Posted by Robert Munteanu <ro...@apache.org>.

Thanks Carsten and Oliver. I've filed
https://issues.apache.org/jira/browse/SLING-11326 and will create a
release which includes it soon.

Robert

On Thu, 2022-05-19 at 14:29 +0200, Oliver Lietz wrote:
> On Thursday, 19 May 2022 14:11:14 CEST Robert Munteanu wrote:
> > Hi,
> > 
> > Our Sling XSS bundle uses AntiSamy for HTML sanitisation. There is
> > an
> > effort to move over to the Java HTML cleaner [1]. Mapping out the
> > functionality currently supported revealead a feature that is IMO
> > of
> > uncertain value.
> > 
> > When validating HTML, external stylesheets embedded in style tags
> > are
> > loaded and inlined. For example, validating
> > 
> > ---
> > <h1>Hello, world</h1>
> > <style type="text/css">
> > h1 { color: red }
> > @import "https://example.com/my-awesome-input.css"
> > </style>
> > ---
> > 
> > Will access https://example.com/my-awesome-input.css, inline it in
> > the
> > style tag, and validate it.
> > 
> > This functionality is disabled in the default configuration we ship
> > with Sling. I think this can have a stability and performance
> > impact
> > when enabled and therefore I propose that we stop supporting it in
> > the
> > future.
> > 
> > I would start with logging a WARN message when stylesheet embedding
> > is
> > supported for the next patch version of the XSS bundle and then
> > removing the functionality in the next minor version.
> > 
> > Thoughts?
> 
> +1 deprecate and remove
> 
> O.
> 
> 
> > Thanks,
> > Robert
> > 
> > 
> > [1]: https://issues.apache.org/jira/browse/SLING-7231
> 
> 
> 
>

Re: [RFC] Stop supporting embedded stylesheets in the Sling XSS bundle

Posted by Oliver Lietz <ap...@oliverlietz.de>.

On Thursday, 19 May 2022 14:11:14 CEST Robert Munteanu wrote:
> Hi,
> 
> Our Sling XSS bundle uses AntiSamy for HTML sanitisation. There is an
> effort to move over to the Java HTML cleaner [1]. Mapping out the
> functionality currently supported revealead a feature that is IMO of
> uncertain value.
> 
> When validating HTML, external stylesheets embedded in style tags are
> loaded and inlined. For example, validating
> 
> ---
> <h1>Hello, world</h1>
> <style type="text/css">
> h1 { color: red }
> @import "https://example.com/my-awesome-input.css"
> </style>
> ---
> 
> Will access https://example.com/my-awesome-input.css, inline it in the
> style tag, and validate it.
> 
> This functionality is disabled in the default configuration we ship
> with Sling. I think this can have a stability and performance impact
> when enabled and therefore I propose that we stop supporting it in the
> future.
> 
> I would start with logging a WARN message when stylesheet embedding is
> supported for the next patch version of the XSS bundle and then
> removing the functionality in the next minor version.
> 
> Thoughts?

+1 deprecate and remove

O.


> Thanks,
> Robert
> 
> 
> [1]: https://issues.apache.org/jira/browse/SLING-7231

Re: [RFC] Stop supporting embedded stylesheets in the Sling XSS bundle

Posted by Carsten Ziegeler <cz...@apache.org>.

Hi,

agreed, its better do not have this. I guess arbitrary embedding of 
whatever is referenced is although not the best idea.

+1

Carsten

Am 19.05.2022 um 14:11 schrieb Robert Munteanu:
> Hi,
> 
> Our Sling XSS bundle uses AntiSamy for HTML sanitisation. There is an
> effort to move over to the Java HTML cleaner [1]. Mapping out the
> functionality currently supported revealead a feature that is IMO of
> uncertain value.
> 
> When validating HTML, external stylesheets embedded in style tags are
> loaded and inlined. For example, validating
> 
> ---
> <h1>Hello, world</h1>
> <style type="text/css">
> h1 { color: red }
> @import "https://example.com/my-awesome-input.css"
> </style>
> ---
> 
> Will access https://example.com/my-awesome-input.css, inline it in the
> style tag, and validate it.
> 
> This functionality is disabled in the default configuration we ship
> with Sling. I think this can have a stability and performance impact
> when enabled and therefore I propose that we stop supporting it in the
> future.
> 
> I would start with logging a WARN message when stylesheet embedding is
> supported for the next patch version of the XSS bundle and then
> removing the functionality in the next minor version.
> 
> Thoughts?
> 
> Thanks,
> Robert
> 
> 
> [1]: https://issues.apache.org/jira/browse/SLING-7231
> 

-- 
Carsten Ziegeler
Adobe
cziegeler@apache.org