[ https://issues.apache.org/jira/browse/SLING-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16394298#comment-16394298 ]
Gimo commented on SLING-7231: ----------------------------- Hi, I am a Computer Science and Engineering Undergraduate of University of Moratuwa I would like to work on this issue as my GSOC 2018 project. Would you please help me to understand the scope of this. Best Regards, > Move to owasp sanitizer library > ------------------------------- > > Key: SLING-7231 > URL: https://issues.apache.org/jira/browse/SLING-7231 > Project: Sling > Issue Type: Improvement > Components: XSS Protection API > Reporter: Carsten Ziegeler > Priority: Critical > Labels: gsoc2018 > Fix For: XSS Protection API 2.1.0 > > > While looking at the extensive dependency list of the XSS module (which are > all caused by the embedded owasp.org artifacts), I found out that the > versions we use are outdated. > So I think we should update those to the latest. > Furthermore, the embedded antisamy library does not look to be maintained > anymore > (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) > instead the html sanitizer looks much fresher and claims to be faster > https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project > I think we should switch. Quick analysis: > Pros: > Actively maintained > Much faster > Lightweight (also from a dependency POV) > Cons: > Incompatible (and runtime-object based) configuration > Not completely feature equivalent (but close enough and better in some > aspects) > Some investigation is needed on how > a) filter rules can be configured (e.g. sling configurations, file based, > code bundle, ... ?) > b) existing configurations can be migrated -- This message was sent by Atlassian JIRA (v7.6.3#76005)