You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by Satya Deep Maheshwari <m....@gmail.com> on 2018/08/24 12:17:07 UTC

[xss] Inconsistent XSSFilterImpl.isValidHref behavior

Hi

I had a query on XSSFilterImpl.isValidHref [1]. This method returns true
for the following url:

/conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵

but returns false for the following url

/conf/global/settings/dam/adminui-extension/imageprofile/ЁЖū11

which implies that

/conf/global/settings/dam/adminui-extension/imageprofile/ЁЖū11 is a valid
href and

and

/conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵
is not a valid href

which seems a bit strange to me. Can someone please explain the reasoning
behind this?

Here's the stacktrace which points to the method which returns the
true/false

0 = {StackTraceElement@23279}
"org.owasp.validator.html.model.Attribute.matchesAllowedExpression(Attribute.java:67)"
1 = {StackTraceElement@23280}
"org.apache.sling.xss.impl.XSSFilterImpl.runHrefValidation(XSSFilterImpl.java:205)"
2 = {StackTraceElement@23281}
"org.apache.sling.xss.impl.XSSFilterImpl.isValidHref(XSSFilterImpl.java:191)"
3 = {StackTraceElement@23282}
"org.apache.sling.xss.impl.XSSAPIImpl.getValidHref(XSSAPIImpl.java:249)"
4 = {StackTraceElement@23283}
"com.adobe.granite.xss.impl.XSSAPIImpl.getValidHref(XSSAPIImpl.java:52)"

Regards
Satya Deep

[1] -
https://github.com/apache/sling-org-apache-sling-xss/blob/0d2d8320a48f23ab07f636bf5be70c54cd13bba9/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java#L178

Re: [xss] Inconsistent XSSFilterImpl.isValidHref behavior

Posted by Radu Cotescu <ra...@apache.org>.

Hi Satya,

I think you meant the other way around, regarding the URLs (you get false for /conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵).

I suspect it has something to do with the characters from "㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵”, which are not valid according to the configured regex. For more details check [2].

Cheers,
Radu

[2] - https://github.com/apache/sling-org-apache-sling-xss/blob/0d2d8320a48f23ab07f636bf5be70c54cd13bba9/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java#L112-L113

> On 24 Aug 2018, at 14:17, Satya Deep Maheshwari <m....@gmail.com> wrote:
> 
> Hi
> 
> I had a query on XSSFilterImpl.isValidHref [1]. This method returns true
> for the following url:
> 
> /conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵
> 
> but returns false for the following url
> 
> /conf/global/settings/dam/adminui-extension/imageprofile/ЁЖū11
> 
> which implies that
> 
> /conf/global/settings/dam/adminui-extension/imageprofile/ЁЖū11 is a valid
> href and
> 
> and
> 
> /conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵
> is not a valid href
> 
> which seems a bit strange to me. Can someone please explain the reasoning
> behind this?
> 
> Here's the stacktrace which points to the method which returns the
> true/false
> 
> 0 = {StackTraceElement@23279}
> "org.owasp.validator.html.model.Attribute.matchesAllowedExpression(Attribute.java:67)"
> 1 = {StackTraceElement@23280}
> "org.apache.sling.xss.impl.XSSFilterImpl.runHrefValidation(XSSFilterImpl.java:205)"
> 2 = {StackTraceElement@23281}
> "org.apache.sling.xss.impl.XSSFilterImpl.isValidHref(XSSFilterImpl.java:191)"
> 3 = {StackTraceElement@23282}
> "org.apache.sling.xss.impl.XSSAPIImpl.getValidHref(XSSAPIImpl.java:249)"
> 4 = {StackTraceElement@23283}
> "com.adobe.granite.xss.impl.XSSAPIImpl.getValidHref(XSSAPIImpl.java:52)"
> 
> Regards
> Satya Deep
> 
> [1] -
> https://github.com/apache/sling-org-apache-sling-xss/blob/0d2d8320a48f23ab07f636bf5be70c54cd13bba9/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java#L178