You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Robert Munteanu (Jira)" <ji...@apache.org> on 2022/05/20 09:39:00 UTC

[jira] [Created] (SLING-11326) Deprecate processing of embedded style sheets

Robert Munteanu created SLING-11326:
---------------------------------------

             Summary: Deprecate processing of embedded style sheets
                 Key: SLING-11326
                 URL: https://issues.apache.org/jira/browse/SLING-11326
             Project: Sling
          Issue Type: Improvement
          Components: XSS Protection API
            Reporter: Robert Munteanu
            Assignee: Robert Munteanu
             Fix For: XSS Protection API 2.2.20


When validating HTML, external stylesheets embedded in style tags are
loaded and inlined. For example, validating

---
<h1>Hello, world</h1>
<style type="text/css">
h1 { color: red }
@import "https://example.com/my-awesome-input.css"
</style>
---

Will access https://example.com/my-awesome-input.css, inline it in the
style tag, and validate it.

This functionality is disabled in the default configuration we ship
with Sling. I think this can have a stability and performance impact
when enabled and therefore I propose that we stop supporting it in the
future.

See also https://lists.apache.org/thread/l1yfmc6jkd9gx5bmx509dy25dc6o434m



--
This message was sent by Atlassian Jira
(v8.20.7#820007)