[ https://issues.apache.org/jira/browse/SLING-5946?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vlad Bailescu updated SLING-5946: --------------------------------- Attachment: SLING_5946.patch Added proposed patch > XSSAPI#encodeForJSString is not restrictive enough > -------------------------------------------------- > > Key: SLING-5946 > URL: https://issues.apache.org/jira/browse/SLING-5946 > Project: Sling > Issue Type: Bug > Components: Extensions > Affects Versions: XSS Protection API 1.0.8 > Reporter: Vlad Bailescu > Fix For: XSS Protection API 1.0.10 > > Attachments: SLING_5946.patch > > > Since SLING-5445, {{XSSAPI#encodeForJSString}} is no longer properly encoding > {{</script>}} and {{<!--}}. We should revert to using OWASP > {{Encode#forJavaScript}} and handle {{-}} characters correctly for JSON too, > by replacing them with {{\u002D}} -- This message was sent by Atlassian JIRA (v6.3.4#6332)