You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Stefan Seifert (Jira)" <ji...@apache.org> on 2023/05/16 15:54:00 UTC

[jira] [Commented] (SLING-11882) XSS Protection API: Apply shading/package relocation to embedded Guava+Co Libraries

    [ https://issues.apache.org/jira/browse/SLING-11882?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17723174#comment-17723174 ] 

Stefan Seifert commented on SLING-11882:
----------------------------------------

if you run into this problem in unit test context, add a dependency definition like this on the last position in your POM as a workaround:
{code:xml}
<dependency>
  <groupId>org.apache.sling</groupId>
  <artifactId>org.apache.sling.xss</artifactId>
  <scope>test</scope>
</dependency>
 {code}
this will ensure that the guava classes defined in other dependencies are loaded first, and the embedded classes from this bundle do not take precedence.

> XSS Protection API: Apply shading/package relocation to embedded Guava+Co Libraries
> -----------------------------------------------------------------------------------
>
>                 Key: SLING-11882
>                 URL: https://issues.apache.org/jira/browse/SLING-11882
>             Project: Sling
>          Issue Type: Improvement
>          Components: XSS Protection API
>    Affects Versions: XSS Protection API 2.3.0
>            Reporter: Stefan Seifert
>            Priority: Major
>             Fix For: XSS Protection API 2.3.8
>
>
> with version 2.3.0 of the XSS Protection API the internal implementation was switched to OWASP sanitizer library (esapi) in SLING-7231.
> with this new implementation comes a load of 3rdparty libraries including a guava version, which is embedded as private packages in the OSGi bundle. this is completely fine from an OSGi bundle perspective and works.
> however, in unit test contexts this can lead to problems, because depending on the dependency order the embedded guava classes may overlay other guava classes references in the same POM with a different version, leading to problems running code in the unit test context. to prevent problems like this, we usually apply a shading and relocation of the package names to ensure such clashes in classpath does no happen.
> the same problem may affect other libraries embedded in the bundle.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)