You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Robert Munteanu (Jira)" <ji...@apache.org> on 2022/05/18 15:47:00 UTC
[jira] [Commented] (SLING-7231) Move to owasp sanitizer library
[ https://issues.apache.org/jira/browse/SLING-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17538919#comment-17538919 ]
Robert Munteanu commented on SLING-7231:
----------------------------------------
I added some tests to validate CSS filtering in https://github.com/apache/sling-org-apache-sling-xss/pull/21 .
> Move to owasp sanitizer library
> -------------------------------
>
> Key: SLING-7231
> URL: https://issues.apache.org/jira/browse/SLING-7231
> Project: Sling
> Issue Type: Improvement
> Components: XSS Protection API
> Reporter: Carsten Ziegeler
> Assignee: Tatyana Vogel
> Priority: Critical
> Labels: gsoc2018, java, mentor
> Time Spent: 10m
> Remaining Estimate: 0h
>
> While looking at the extensive dependency list of the XSS module (which are all caused by the embedded owasp.org artifacts), I found out that the versions we use are outdated.
> So I think we should update those to the latest.
> Furthermore, the embedded antisamy library does not look to be maintained anymore
> (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project)
> instead the html sanitizer looks much fresher and claims to be faster
> https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
> I think we should switch. Quick analysis:
> Pros:
> Actively maintained
> Much faster
> Lightweight (also from a dependency POV)
> Cons:
> Incompatible (and runtime-object based) configuration
> Not completely feature equivalent (but close enough and better in some aspects)
> Some investigation is needed on how
> a) filter rules can be configured (e.g. sling configurations, file based, code bundle, ... ?)
> b) existing configurations can be migrated
--
This message was sent by Atlassian Jira
(v8.20.7#820007)