[jira] [Commented] (SLING-7231) Move to owasp sanitizer library

Mon, 22 Nov 2021 06:33:05 -0800 


    [ 
https://issues.apache.org/jira/browse/SLING-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17447447#comment-17447447
 ] 

Bertrand Delacretaz commented on SLING-7231:
--------------------------------------------

Looking at the test coverage (build with {{-P jacoco-report}} and look at 
{{target/site/jacoco-merged/index.html}} it seems like some of the 
{{org.apache.sling.xss.impl}} code is not tested, especially the 
{{XSSFilterImpl}} where the {{check}} method and a number of error cases are 
not tested.

I think at least the {{check}} method, being part of the public API, deserves 
to have tests added before making extensive changes to this module. The error 
cases might not be relevant anymore depending on how much the implementation 
changes.

> Move to owasp sanitizer library
> -------------------------------
>
>                 Key: SLING-7231
>                 URL: https://issues.apache.org/jira/browse/SLING-7231
>             Project: Sling
>          Issue Type: Improvement
>          Components: XSS Protection API
>            Reporter: Carsten Ziegeler
>            Assignee: Tatyana
>            Priority: Critical
>              Labels: gsoc2018, java, mentor
>
> While looking at the extensive dependency list of the XSS module (which are 
> all caused by the embedded owasp.org artifacts), I found out that the 
> versions we use are outdated.
> So I think we should update those to the latest.
> Furthermore, the embedded antisamy library does not look to be maintained 
> anymore
> (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project)
> instead the html sanitizer looks much fresher and claims to be faster
> https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
> I think we should switch. Quick analysis:
> Pros:
>     Actively maintained
>     Much faster
>     Lightweight (also from a dependency POV)
> Cons:
>     Incompatible (and runtime-object based) configuration
>     Not completely feature equivalent (but close enough and better in some 
> aspects)
> Some investigation is needed on how
> a) filter rules can be configured (e.g. sling configurations, file based, 
> code bundle, ... ?)
> b) existing configurations can be migrated 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to