You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Konrad Windszus (JIRA)" <ji...@apache.org> on 2018/12/13 15:25:00 UTC

[jira] [Commented] (SLING-7231) Move to owasp sanitizer library

    [ https://issues.apache.org/jira/browse/SLING-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16720297#comment-16720297 ] 

Konrad Windszus commented on SLING-7231:
----------------------------------------

AFAIK we currently only use the HTML filtering part of AntiSamy, not the CSS filtering part.

The translation from an AntiSamy XML to a {{HtmlSanitizer.Policy}} is probably quite complex and would not be 100% complete (for details refer to the AntiSamy XSD in https://github.com/andresriancho/owaspantisamy/blob/master/Java/antisamy/src/main/resources/antisamy.xsd). Is backwards compatibility really necessary here or should we rather come up with a more simplified configuration (maybe even based on an OSGi metatype)?

IMHO this configuration was never documented on Sling side (but it is mentioned at https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/security.html).

> Move to owasp sanitizer library
> -------------------------------
>
>                 Key: SLING-7231
>                 URL: https://issues.apache.org/jira/browse/SLING-7231
>             Project: Sling
>          Issue Type: Improvement
>          Components: XSS Protection API
>            Reporter: Carsten Ziegeler
>            Assignee: Radu Cotescu
>            Priority: Critical
>              Labels: gsoc2018, java, mentor
>             Fix For: XSS Protection API 2.1.0
>
>
> While looking at the extensive dependency list of the XSS module (which are all caused by the embedded owasp.org artifacts), I found out that the versions we use are outdated.
> So I think we should update those to the latest.
> Furthermore, the embedded antisamy library does not look to be maintained anymore
> (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project)
> instead the html sanitizer looks much fresher and claims to be faster
> https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
> I think we should switch. Quick analysis:
> Pros:
>     Actively maintained
>     Much faster
>     Lightweight (also from a dependency POV)
> Cons:
>     Incompatible (and runtime-object based) configuration
>     Not completely feature equivalent (but close enough and better in some aspects)
> Some investigation is needed on how
> a) filter rules can be configured (e.g. sling configurations, file based, code bundle, ... ?)
> b) existing configurations can be migrated 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)