Hi I had a query on XSSFilterImpl.isValidHref [1]. This method returns true for the following url:
/conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵 but returns false for the following url /conf/global/settings/dam/adminui-extension/imageprofile/ЁЖū11 which implies that /conf/global/settings/dam/adminui-extension/imageprofile/ЁЖū11 is a valid href and and /conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵 is not a valid href which seems a bit strange to me. Can someone please explain the reasoning behind this? Here's the stacktrace which points to the method which returns the true/false 0 = {StackTraceElement@23279} "org.owasp.validator.html.model.Attribute.matchesAllowedExpression(Attribute.java:67)" 1 = {StackTraceElement@23280} "org.apache.sling.xss.impl.XSSFilterImpl.runHrefValidation(XSSFilterImpl.java:205)" 2 = {StackTraceElement@23281} "org.apache.sling.xss.impl.XSSFilterImpl.isValidHref(XSSFilterImpl.java:191)" 3 = {StackTraceElement@23282} "org.apache.sling.xss.impl.XSSAPIImpl.getValidHref(XSSAPIImpl.java:249)" 4 = {StackTraceElement@23283} "com.adobe.granite.xss.impl.XSSAPIImpl.getValidHref(XSSAPIImpl.java:52)" Regards Satya Deep [1] - https://github.com/apache/sling-org-apache-sling-xss/blob/0d2d8320a48f23ab07f636bf5be70c54cd13bba9/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java#L178