Robert Munteanu created SLING-12137:
---------------------------------------
Summary: XSS API bundle no longer embeds the needed org.owasp.html
classes
Key: SLING-12137
URL: https://issues.apache.org/jira/browse/SLING-12137
Project: Sling
Issue Type: Bug
Components: XSS Protection API
Reporter: Robert Munteanu
Assignee: Robert Munteanu
Fix For: XSS Protection API 2.3.12
This manifests itself at runtime
{noformat}09.11.2023 14:26:57.444 *ERROR* [FelixLogListener]
org.apache.sling.xss.impl.XSSFilterImpl bundle
org.apache.sling.xss:2.3.11.SNAPSHOT
(148)[org.apache.sling.xss.impl.XSSFilterImpl(223)] : The activate method has
thrown an exception (org.apache.felix.log.LogException:
java.lang.NoClassDefFoundError: org/owasp/html/HtmlStreamEventReceiver)
org.apache.felix.log.LogException: java.lang.NoClassDefFoundError:
org/owasp/html/HtmlStreamEventReceiver
at
org.apache.sling.xss.impl.PolicyHandler.<init>(PolicyHandler.java:47)
[org.apache.sling.xss:2.3.11.SNAPSHOT]
at
org.apache.sling.xss.impl.XSSFilterImpl.setActiveEmbededPolicy(XSSFilterImpl.java:311)
[org.apache.sling.xss:2.3.11.SNAPSHOT]
at
org.apache.sling.xss.impl.XSSFilterImpl.updatePolicy(XSSFilterImpl.java:298)
[org.apache.sling.xss:2.3.11.SNAPSHOT]
at
org.apache.sling.xss.impl.XSSFilterImpl.activate(XSSFilterImpl.java:267)
[org.apache.sling.xss:2.3.11.SNAPSHOT]
{noformat}
Manually inspecting the jars shows that we don't have the org.owasp.html
classes we used to embed
{noformat}
$ jar tf target/org.apache.sling.xss-2.3.11-SNAPSHOT.jar | grep owasp/html
org/owasp/html/
org/owasp/html/DynamicAttributesSanitizerPolicy.class
{noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
