[jira] [Created] (SLING-10158) XSSFilter fails with a classloading the TreeWalker class

Tue, 23 Feb 2021 10:26:05 -0800 

Eric Norman created SLING-10158:
-----------------------------------

             Summary: XSSFilter fails with a classloading the TreeWalker class
                 Key: SLING-10158
                 URL: https://issues.apache.org/jira/browse/SLING-10158
             Project: Sling
          Issue Type: Bug
    Affects Versions: XSS Protection API 2.2.10
            Reporter: Eric Norman
             Fix For: XSS Protection API 2.2.12


After switching to xss v2.2.10 many pages fail with a classloading exception 
regarding the org.apache.xml.serializer.TreeWalker class

For example, the composium browser at [http://localhost:8080/bin/browser.html] 
fails with this error:
{noformat}
org/apache/xml/serializer/TreeWalker (500)

The requested URL /bin/browser.html resulted in an error in 
/libs/composum/nodes/browser/browser.jsp.
Exception:

java.lang.NoClassDefFoundError: org/apache/xml/serializer/TreeWalker
    at 
org.apache.xalan.processor.TransformerFactoryImpl.newTransformer(TransformerFactoryImpl.java:818)
    at 
org.owasp.validator.html.scan.AntiSamySAXScanner.getNewTransformer(AntiSamySAXScanner.java:178)
    at 
org.owasp.validator.html.scan.AntiSamySAXScanner.scan(AntiSamySAXScanner.java:133)
    at 
org.owasp.validator.html.scan.AntiSamySAXScanner.scan(AntiSamySAXScanner.java:107)
    at 
org.owasp.validator.html.scan.AntiSamySAXScanner.scan(AntiSamySAXScanner.java:89)
    at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:129)
    at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:75)
    at 
org.apache.sling.xss.impl.HtmlToHtmlContentContext.getCleanResults(HtmlToHtmlContentContext.java:98)
    at 
org.apache.sling.xss.impl.HtmlToHtmlContentContext.filter(HtmlToHtmlContentContext.java:68)
    at org.apache.sling.xss.impl.XSSFilterImpl.filter(XSSFilterImpl.java:200)
    at org.apache.sling.xss.impl.XSSFilterImpl.filter(XSSFilterImpl.java:194)
    at com.composum.sling.core.util.XSS.filter(XSS.java:282)
    at 
com.composum.sling.core.util.ConsoleUtil.getConsoleResource(ConsoleUtil.java:31)
    at 
com.composum.sling.core.AbstractServletBean.initialize(AbstractServletBean.java:33)
    at 
com.composum.sling.core.BeanContext$AbstractContext.tryToInstantiateSlingBean(BeanContext.java:266)
    at 
com.composum.sling.core.BeanContext$AbstractContext.adaptTo(BeanContext.java:246)
    at com.composum.sling.core.BeanContext$Page.adaptTo(BeanContext.java:571)
    at 
com.composum.sling.cpnl.ComponentTag.createComponent(ComponentTag.java:220)
    at com.composum.sling.cpnl.ComponentTag.doStartTag(ComponentTag.java:73)
    at 
org.apache.jsp.libs.composum.nodes.browser.browser__002e__jsp._jspService(browser__002e__jsp.java:112)
    at 
org.apache.sling.scripting.jsp.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
    at 
org.apache.sling.scripting.jsp.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:496)...

{noformat}
 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to