Robert Munteanu created SLING-12137: ---------------------------------------
Summary: XSS API bundle no longer embeds the needed org.owasp.html classes Key: SLING-12137 URL: https://issues.apache.org/jira/browse/SLING-12137 Project: Sling Issue Type: Bug Components: XSS Protection API Reporter: Robert Munteanu Assignee: Robert Munteanu Fix For: XSS Protection API 2.3.12 This manifests itself at runtime {noformat}09.11.2023 14:26:57.444 *ERROR* [FelixLogListener] org.apache.sling.xss.impl.XSSFilterImpl bundle org.apache.sling.xss:2.3.11.SNAPSHOT (148)[org.apache.sling.xss.impl.XSSFilterImpl(223)] : The activate method has thrown an exception (org.apache.felix.log.LogException: java.lang.NoClassDefFoundError: org/owasp/html/HtmlStreamEventReceiver) org.apache.felix.log.LogException: java.lang.NoClassDefFoundError: org/owasp/html/HtmlStreamEventReceiver at org.apache.sling.xss.impl.PolicyHandler.<init>(PolicyHandler.java:47) [org.apache.sling.xss:2.3.11.SNAPSHOT] at org.apache.sling.xss.impl.XSSFilterImpl.setActiveEmbededPolicy(XSSFilterImpl.java:311) [org.apache.sling.xss:2.3.11.SNAPSHOT] at org.apache.sling.xss.impl.XSSFilterImpl.updatePolicy(XSSFilterImpl.java:298) [org.apache.sling.xss:2.3.11.SNAPSHOT] at org.apache.sling.xss.impl.XSSFilterImpl.activate(XSSFilterImpl.java:267) [org.apache.sling.xss:2.3.11.SNAPSHOT] {noformat} Manually inspecting the jars shows that we don't have the org.owasp.html classes we used to embed {noformat} $ jar tf target/org.apache.sling.xss-2.3.11-SNAPSHOT.jar | grep owasp/html org/owasp/html/ org/owasp/html/DynamicAttributesSanitizerPolicy.class {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010)