You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Stefan Seifert (Jira)" <ji...@apache.org> on 2023/05/16 15:50:00 UTC

[jira] [Created] (SLING-11882) XSS Protection API: Apply shading/package relocation to embedded Guava+Co Libraries

Stefan Seifert created SLING-11882:
--------------------------------------

             Summary: XSS Protection API: Apply shading/package relocation to embedded Guava+Co Libraries
                 Key: SLING-11882
                 URL: https://issues.apache.org/jira/browse/SLING-11882
             Project: Sling
          Issue Type: Improvement
          Components: XSS Protection API
    Affects Versions: XSS Protection API 2.3.0
            Reporter: Stefan Seifert
             Fix For: XSS Protection API 2.3.8


with version 2.3.0 of the XSS Protection API the internal implementation was switched to OWASP sanitizer library (esapi) in SLING-7231.

with this new implementation comes a load of 3rdparty libraries including a guava version, which is embedded as private packages in the OSGi bundle. this is completely fine from an OSGi bundle perspective and works.

however, in unit test contexts this can lead to problems, because depending on the dependency order the embedded guava classes may overlay other guava classes references in the same POM with a different version, leading to problems running code in the unit test context. to prevent problems like this, we usually apply a shading and relocation of the package names to ensure such clashes in classpath does no happen.

the same problem may affect other libraries embedded in the bundle.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)