Konrad Windszus created SLING-7703:
--------------------------------------
Summary: XSSFilter.filter(XSSFilter.DEFAULT_CONTEXT, ...)
unescapes given unicode escape sequences
Key: SLING-7703
URL: https://issues.apache.org/jira/browse/SLING-7703
Project: Sling
Issue Type: Bug
Components: XSS Protection API
Affects Versions: XSS Protection API 2.0.6
Reporter: Konrad Windszus
When giving a unicode escape sequence like
{code}
test ✅ test
{code}
to {{XSSFilter.filter(...)}} the returned value contains the unescaped
character.
This is always a problem if the output is not UTF-8.
The expected behaviour is that those non-dangerous unicode escape sequence pass
the filter without getting unescaped.
{{XSSFilter.filter(...)}} is used e.g. from HTL with display context "html"
(https://github.com/apache/sling-org-apache-sling-scripting-sightly/blob/f46ff4d97b96d21da521651fe9f789f89253452f/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java#L123)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
