You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Robert Munteanu (Jira)" <ji...@apache.org> on 2022/05/20 10:25:00 UTC
[jira] [Resolved] (SLING-11326) Deprecate processing of embedded style sheets
[ https://issues.apache.org/jira/browse/SLING-11326?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Munteanu resolved SLING-11326.
-------------------------------------
Resolution: Fixed
Fixed in https://github.com/apache/sling-org-apache-sling-xss/pull/23 .
> Deprecate processing of embedded style sheets
> ---------------------------------------------
>
> Key: SLING-11326
> URL: https://issues.apache.org/jira/browse/SLING-11326
> Project: Sling
> Issue Type: Improvement
> Components: XSS Protection API
> Reporter: Robert Munteanu
> Assignee: Robert Munteanu
> Priority: Major
> Fix For: XSS Protection API 2.2.20
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> When validating HTML, external stylesheets embedded in style tags are
> loaded and inlined. For example, validating
> ---
> <h1>Hello, world</h1>
> <style type="text/css">
> h1 { color: red }
> @import "https://example.com/my-awesome-input.css"
> </style>
> ---
> Will access https://example.com/my-awesome-input.css, inline it in the
> style tag, and validate it.
> This functionality is disabled in the default configuration we ship
> with Sling. I think this can have a stability and performance impact
> when enabled and therefore I propose that we stop supporting it in the
> future.
> See also https://lists.apache.org/thread/l1yfmc6jkd9gx5bmx509dy25dc6o434m
--
This message was sent by Atlassian Jira
(v8.20.7#820007)