[ https://issues.apache.org/jira/browse/SLING-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17446449#comment-17446449 ]
Tatyana commented on SLING-7231: -------------------------------- I will start to look into this issue. > Move to owasp sanitizer library > ------------------------------- > > Key: SLING-7231 > URL: https://issues.apache.org/jira/browse/SLING-7231 > Project: Sling > Issue Type: Improvement > Components: XSS Protection API > Reporter: Carsten Ziegeler > Priority: Critical > Labels: gsoc2018, java, mentor > > While looking at the extensive dependency list of the XSS module (which are > all caused by the embedded owasp.org artifacts), I found out that the > versions we use are outdated. > So I think we should update those to the latest. > Furthermore, the embedded antisamy library does not look to be maintained > anymore > (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) > instead the html sanitizer looks much fresher and claims to be faster > https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project > I think we should switch. Quick analysis: > Pros: > Actively maintained > Much faster > Lightweight (also from a dependency POV) > Cons: > Incompatible (and runtime-object based) configuration > Not completely feature equivalent (but close enough and better in some > aspects) > Some investigation is needed on how > a) filter rules can be configured (e.g. sling configurations, file based, > code bundle, ... ?) > b) existing configurations can be migrated -- This message was sent by Atlassian Jira (v8.20.1#820001)