[ https://issues.apache.org/jira/browse/SLING-11425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Munteanu reassigned SLING-11425: --------------------------------------- Assignee: Robert Munteanu > Make URI filtering test more lenient in case of invalid XML input > ----------------------------------------------------------------- > > Key: SLING-11425 > URL: https://issues.apache.org/jira/browse/SLING-11425 > Project: Sling > Issue Type: Improvement > Components: XSS Protection API > Reporter: Robert Munteanu > Assignee: Robert Munteanu > Priority: Major > Fix For: XSS Protection API 2.2.22 > > Time Spent: 20m > Remaining Estimate: 0h > > The AntiSamiPolicyTest validates URI filtering in a scenario where it passes > invalid XML, where content is included after the closing slash, i.e. > {noformat}<div/style=\-\&#...>{noformat} > in > https://github.com/apache/sling-org-apache-sling-xss/blob/bafa22b0c3dfd457bfc8187d17dd8ffd14ab2158/src/test/java/org/apache/sling/xss/impl/AntiSamyPolicyTest.java#L216 > . > The test is strict and asserts that no style tag is present, since the XML > parser used by AntiSamy does not recognize the tag. This is not in line with > how the style tag is treated currently, as invalid values are removed, but > the style tag is preserved. > We should make the test more lenient and accept an empty style tag. This > would make it also compatible with the Java HTML Cleaner based implementation > worked on in SLING-7231. -- This message was sent by Atlassian Jira (v8.20.10#820010)