You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Radu Cotescu (JIRA)" <ji...@apache.org> on 2016/01/21 15:47:39 UTC

[jira] [Created] (SLING-5445) XSSAPI#encodeForJSString is too restrictive

Radu Cotescu created SLING-5445:
-----------------------------------

             Summary: XSSAPI#encodeForJSString is too restrictive
                 Key: SLING-5445
                 URL: https://issues.apache.org/jira/browse/SLING-5445
             Project: Sling
          Issue Type: Bug
          Components: Extensions
    Affects Versions: XSS Protection API 1.0.6
            Reporter: Radu Cotescu
            Assignee: Radu Cotescu
             Fix For: XSS Protection API 1.0.8


For the cases when somebody tries to sanitise JSON strings the {{XSSAPI#encodeForJSString}} current implementation is too restrictive. 

Assuming one would want to sanitize {{2016-01-21T15:40:30}}, the output of the {{XSSAPI#encodeForJSString}} would be 

{noformat}
2016\-01\-21T15:40:30
{noformat}

which although is a valid String for JavaScript code is not a valid one for JSON.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)