You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Nicolas Peltier (Jira)" <ji...@apache.org> on 2020/09/26 17:03:00 UTC

[jira] [Created] (SLING-9770) XSS API encodeForCSSString should sometimes leave the '>' character alone

Nicolas Peltier created SLING-9770:
--------------------------------------

             Summary: XSS API encodeForCSSString should sometimes leave the '>' character alone
                 Key: SLING-9770
                 URL: https://issues.apache.org/jira/browse/SLING-9770
             Project: Sling
          Issue Type: Bug
          Components: XSS Protection API
    Affects Versions: XSS Protection API 2.2.6
            Reporter: Nicolas Peltier


while

xssApi.encodeForCSSString should righteously encode {color:#6a8759}"JavaScrIpt some text>"{color}{color:#172b4d} into {color}{color:#6a8759}"JavaScrIpt some text{color}{color:#cc7832}\\{color}{color:#6a8759}3e"{color}{color:#cc7832}
{color}it should leave {color:#6a8759}".foo > .bar \{ some rule }"{color}{color:#cc7832}{color:#172b4d} alone{color} {color:#172b4d}as changing here the '>' character {color}{color:#172b4d}will break the CSS{color}
{color}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)