[ https://issues.apache.org/jira/browse/SLING-10391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17754136#comment-17754136 ]
Stefan Seifert commented on SLING-10391: ---------------------------------------- switching to {{org.apache.sling.xss.impl.XSSAPIImpl}} and mocking only the XSSFilter works well, but comes with a cosmetic downside. on the first unit test run ESAPI prints a bunch of log messages to system.out like {noformat} ESAPI: WARNING: System property [org.owasp.esapi.opsteam] is not set ESAPI: WARNING: System property [org.owasp.esapi.devteam] is not set ESAPI: Attempting to load ESAPI.properties via file I/O. ESAPI: Attempting to load ESAPI.properties as resource file via file I/O. ESAPI: Not found in 'org.owasp.esapi.resources' directory or file not readable: D:\Develop\github\wcm-io\io.wcm.samples\bundles\core\ESAPI.properties ESAPI: Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties ESAPI: Not found in 'user.home' (C:\Users\stefan.seifert) directory: C:\Users\stefan.seifert\esapi\ESAPI.properties ESAPI: Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException ESAPI: Attempting to load ESAPI.properties via the classpath. ESAPI: SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader! ESAPI: SecurityConfiguration for Validator.ConfigurationFile.MultiValued not found in ESAPI.properties. Using default: false ESAPI: Attempting to load validation.properties via file I/O. ESAPI: Attempting to load validation.properties as resource file via file I/O. ESAPI: Not found in 'org.owasp.esapi.resources' directory or file not readable: D:\Develop\github\wcm-io\io.wcm.samples\bundles\core\validation.properties ESAPI: Not found in SystemResource Directory/resourceDirectory: .esapi\validation.properties ESAPI: Not found in 'user.home' (C:\Users\stefan.seifert) directory: C:\Users\stefan.seifert\esapi\validation.properties ESAPI: Loading validation.properties via file I/O failed. ESAPI: Attempting to load validation.properties via the classpath. ESAPI: SUCCESSFULLY LOADED validation.properties via the CLASSPATH from '/ (root)' using current thread context class loader! {noformat} it does not seem possible to disable this output, as it is logged before the actual logging implementation (which redirects to SLF4J as configured in ESAPI.properties from Sling XSS) is in place. here is a discussion about this issue https://github.com/ESAPI/esapi-java-legacy/issues/68 - they may change the implementation in the future, but the issue is already quite antique. > Improve MockXSSAPIImpl > ---------------------- > > Key: SLING-10391 > URL: https://issues.apache.org/jira/browse/SLING-10391 > Project: Sling > Issue Type: Improvement > Components: Testing > Affects Versions: Testing Sling Mock 3.0.2 > Reporter: Henry Kuijpers > Assignee: Stefan Seifert > Priority: Major > Fix For: Testing Sling Mock 3.4.12 > > > MockXSSAPIImpl only has a few very simplistic method implementations (i.e. > for encodeForHTML it returns the input as-is). > I think we can make some improvements to it, by: > * Use StringEscapeUtils.escapeHtml4() to do HTML escaping (so that we can at > least see a difference in the output) > * Use StringEscapeUtils.escapeXml() to do XML escaping > etc. -- This message was sent by Atlassian Jira (v8.20.10#820010)