[
https://issues.apache.org/jira/browse/SLING-7777?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Radu Cotescu resolved SLING-7777.
---------------------------------
Resolution: Fixed
Fix Version/s: XSS Protection API 2.0.12
Applied Lars' patch in [commit
4a90915|https://github.com/apache/sling-org-apache-sling-xss/commit/4a90915].
> XSSFilter is rejecting URLs containing only queries or fragments
> ----------------------------------------------------------------
>
> Key: SLING-7777
> URL: https://issues.apache.org/jira/browse/SLING-7777
> Project: Sling
> Issue Type: Bug
> Components: XSS Protection API
> Affects Versions: XSS Protection API 2.0.10
> Reporter: Lars Krapf
> Assignee: Radu Cotescu
> Priority: Major
> Labels: XSS
> Fix For: XSS Protection API 2.0.12
>
> Attachments: sling_xssfilter_patch.txt
>
>
> The XSSFilter is erroneously rejecting URLs that consist only of queries,
> (potentially empty) fragments or both, e.g. "#", "#test", "?foo=bar" etc.
> Even though the RELATIVE_PART regexp contains an PATH_EMPTY group, it is
> explicitly matching the *entire* string, so will fail if the QUERY or
> FRAGMENT groups match.
> A potential solution (see attached patch and tests) might be to remove the
> PATH_EMPTY group from the RELATIVE_PART, and make the entire RELATIVE_PART
> optional by adding ? to the group in RELATIVE_REF. This will still match
> completely empty URLs.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
