You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Robert Munteanu (Jira)" <ji...@apache.org> on 2022/10/04 12:07:00 UTC
[jira] [Closed] (SLING-11425) Make URI filtering test more lenient in case of invalid XML input
[ https://issues.apache.org/jira/browse/SLING-11425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Munteanu closed SLING-11425.
-----------------------------------
> Make URI filtering test more lenient in case of invalid XML input
> -----------------------------------------------------------------
>
> Key: SLING-11425
> URL: https://issues.apache.org/jira/browse/SLING-11425
> Project: Sling
> Issue Type: Improvement
> Components: XSS Protection API
> Reporter: Robert Munteanu
> Assignee: Robert Munteanu
> Priority: Major
> Fix For: XSS Protection API 2.3.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The AntiSamiPolicyTest validates URI filtering in a scenario where it passes invalid XML, where content is included after the closing slash, i.e.
> {noformat}<div/style=\-\&#...>{noformat}
> in https://github.com/apache/sling-org-apache-sling-xss/blob/bafa22b0c3dfd457bfc8187d17dd8ffd14ab2158/src/test/java/org/apache/sling/xss/impl/AntiSamyPolicyTest.java#L216 .
> The test is strict and asserts that no style tag is present, since the XML parser used by AntiSamy does not recognize the tag. This is not in line with how the style tag is treated currently, as invalid values are removed, but the style tag is preserved.
> We should make the test more lenient and accept an empty style tag. This would make it also compatible with the Java HTML Cleaner based implementation worked on in SLING-7231.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)