You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Robert Munteanu (Jira)" <ji...@apache.org> on 2022/05/20 10:25:00 UTC

[jira] [Resolved] (SLING-11326) Deprecate processing of embedded style sheets

     [ https://issues.apache.org/jira/browse/SLING-11326?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robert Munteanu resolved SLING-11326.
-------------------------------------
    Resolution: Fixed

Fixed in https://github.com/apache/sling-org-apache-sling-xss/pull/23 .

> Deprecate processing of embedded style sheets
> ---------------------------------------------
>
>                 Key: SLING-11326
>                 URL: https://issues.apache.org/jira/browse/SLING-11326
>             Project: Sling
>          Issue Type: Improvement
>          Components: XSS Protection API
>            Reporter: Robert Munteanu
>            Assignee: Robert Munteanu
>            Priority: Major
>             Fix For: XSS Protection API 2.2.20
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> When validating HTML, external stylesheets embedded in style tags are
> loaded and inlined. For example, validating
> ---
> <h1>Hello, world</h1>
> <style type="text/css">
> h1 { color: red }
> @import "https://example.com/my-awesome-input.css"
> </style>
> ---
> Will access https://example.com/my-awesome-input.css, inline it in the
> style tag, and validate it.
> This functionality is disabled in the default configuration we ship
> with Sling. I think this can have a stability and performance impact
> when enabled and therefore I propose that we stop supporting it in the
> future.
> See also https://lists.apache.org/thread/l1yfmc6jkd9gx5bmx509dy25dc6o434m



--
This message was sent by Atlassian Jira
(v8.20.7#820007)