Radu Cotescu created SLING-5445:
-----------------------------------
Summary: XSSAPI#encodeForJSString is too restrictive
Key: SLING-5445
URL: https://issues.apache.org/jira/browse/SLING-5445
Project: Sling
Issue Type: Bug
Components: Extensions
Affects Versions: XSS Protection API 1.0.6
Reporter: Radu Cotescu
Assignee: Radu Cotescu
Fix For: XSS Protection API 1.0.8
For the cases when somebody tries to sanitise JSON strings the
{{XSSAPI#encodeForJSString}} current implementation is too restrictive.
Assuming one would want to sanitize {{2016-01-21T15:40:30}}, the output of the
{{XSSAPI#encodeForJSString}} would be
{noformat}
2016\-01\-21T15:40:30
{noformat}
which although is a valid String for JavaScript code is not a valid one for
JSON.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
