You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Dan Klco (JIRA)" <ji...@apache.org> on 2014/06/25 23:53:25 UTC

[jira] [Resolved] (SLING-3665) Support XSS Encoding

     [ https://issues.apache.org/jira/browse/SLING-3665?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dan Klco resolved SLING-3665.
-----------------------------

    Resolution: Fixed

Added basic tag for encoding text based on OWASP standards.

> Support XSS Encoding
> --------------------
>
>                 Key: SLING-3665
>                 URL: https://issues.apache.org/jira/browse/SLING-3665
>             Project: Sling
>          Issue Type: Bug
>          Components: Scripting
>    Affects Versions: Scripting JSP-Taglib 2.2.0
>            Reporter: Dan Klco
>            Assignee: Dan Klco
>            Priority: Minor
>              Labels: patch
>             Fix For: Scripting JSP-Taglib 2.2.2
>
>         Attachments: SLING-3665.diff
>
>
> I'd propose we should support proper XSS encoding through the Sling JSP Taglib.  Nothing too elaborate, just more than is provided by the JSTL Commons Out tag as that's not sufficient to provide true XSS protection.
> I'll attach a patch with a new tag which uses the OWASP ESAPI's encoder service to encode content in several different ways depending on how it should be used.  This API is available under the BSD license, so I believe it is compatible.



--
This message was sent by Atlassian JIRA
(v6.2#6252)