You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Satya Deep Maheshwari <m....@gmail.com> on 2018/08/24 12:17:07 UTC
[xss] Inconsistent XSSFilterImpl.isValidHref behavior
Hi
I had a query on XSSFilterImpl.isValidHref [1]. This method returns true
for the following url:
/conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵
but returns false for the following url
/conf/global/settings/dam/adminui-extension/imageprofile/ЁЖū11
which implies that
/conf/global/settings/dam/adminui-extension/imageprofile/ЁЖū11 is a valid
href and
and
/conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵
is not a valid href
which seems a bit strange to me. Can someone please explain the reasoning
behind this?
Here's the stacktrace which points to the method which returns the
true/false
0 = {StackTraceElement@23279}
"org.owasp.validator.html.model.Attribute.matchesAllowedExpression(Attribute.java:67)"
1 = {StackTraceElement@23280}
"org.apache.sling.xss.impl.XSSFilterImpl.runHrefValidation(XSSFilterImpl.java:205)"
2 = {StackTraceElement@23281}
"org.apache.sling.xss.impl.XSSFilterImpl.isValidHref(XSSFilterImpl.java:191)"
3 = {StackTraceElement@23282}
"org.apache.sling.xss.impl.XSSAPIImpl.getValidHref(XSSAPIImpl.java:249)"
4 = {StackTraceElement@23283}
"com.adobe.granite.xss.impl.XSSAPIImpl.getValidHref(XSSAPIImpl.java:52)"
Regards
Satya Deep
[1] -
https://github.com/apache/sling-org-apache-sling-xss/blob/0d2d8320a48f23ab07f636bf5be70c54cd13bba9/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java#L178
Re: [xss] Inconsistent XSSFilterImpl.isValidHref behavior
Posted by Radu Cotescu <ra...@apache.org>.
Hi Satya,
I think you meant the other way around, regarding the URLs (you get false for /conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵).
I suspect it has something to do with the characters from "㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵”, which are not valid according to the configured regex. For more details check [2].
Cheers,
Radu
[2] - https://github.com/apache/sling-org-apache-sling-xss/blob/0d2d8320a48f23ab07f636bf5be70c54cd13bba9/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java#L112-L113
> On 24 Aug 2018, at 14:17, Satya Deep Maheshwari <m....@gmail.com> wrote:
>
> Hi
>
> I had a query on XSSFilterImpl.isValidHref [1]. This method returns true
> for the following url:
>
> /conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵
>
> but returns false for the following url
>
> /conf/global/settings/dam/adminui-extension/imageprofile/ЁЖū11
>
> which implies that
>
> /conf/global/settings/dam/adminui-extension/imageprofile/ЁЖū11 is a valid
> href and
>
> and
>
> /conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵
> is not a valid href
>
> which seems a bit strange to me. Can someone please explain the reasoning
> behind this?
>
> Here's the stacktrace which points to the method which returns the
> true/false
>
> 0 = {StackTraceElement@23279}
> "org.owasp.validator.html.model.Attribute.matchesAllowedExpression(Attribute.java:67)"
> 1 = {StackTraceElement@23280}
> "org.apache.sling.xss.impl.XSSFilterImpl.runHrefValidation(XSSFilterImpl.java:205)"
> 2 = {StackTraceElement@23281}
> "org.apache.sling.xss.impl.XSSFilterImpl.isValidHref(XSSFilterImpl.java:191)"
> 3 = {StackTraceElement@23282}
> "org.apache.sling.xss.impl.XSSAPIImpl.getValidHref(XSSAPIImpl.java:249)"
> 4 = {StackTraceElement@23283}
> "com.adobe.granite.xss.impl.XSSAPIImpl.getValidHref(XSSAPIImpl.java:52)"
>
> Regards
> Satya Deep
>
> [1] -
> https://github.com/apache/sling-org-apache-sling-xss/blob/0d2d8320a48f23ab07f636bf5be70c54cd13bba9/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java#L178