You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Jan Stettler (JIRA)" <ji...@apache.org> on 2017/05/19 08:58:04 UTC
[jira] [Created] (SLING-6865) Default Config sling/xss/config.xml
and XSSFilterImpl is not the same
Jan Stettler created SLING-6865:
-----------------------------------
Summary: Default Config sling/xss/config.xml and XSSFilterImpl is not the same
Key: SLING-6865
URL: https://issues.apache.org/jira/browse/SLING-6865
Project: Sling
Issue Type: Bug
Components: XSS Protection API
Reporter: Jan Stettler
Priority: Critical
There is a different default config for XSSFilterImpl .href
In XSSFilter the Pattern looks like
{code}
(\\s)*((ht|f)tp(s?)://|mailto:)[\\p{L}\\p{N}]+[\\p{L}\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\*\\(\\)]*(\\s)*"
{code}
in the /libs/sling/xss/config.xml itself it looks like
{code}
(\s)*((ht|f)tp(s?)://|mailto:)[\p{L}\p{N}]+[\p{L}\p{N}\p{Zs}\.\#@\$%\+&;:\-_~,\?=/!\*\(\)]*(\s)*
{code}
In the config file there is a missing (\\)
Can you fix this?
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)