Hi
I had a query on XSSFilterImpl.isValidHref [1]. This method returns true
for the following url:
/conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵
but returns false for the following url
/conf/global/settings/dam/adminui-extension/imageprofile/ЁЖū11
which implies that
/conf/global/settings/dam/adminui-extension/imageprofile/ЁЖū11 is a valid
href and
and
/conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵
is not a valid href
which seems a bit strange to me. Can someone please explain the reasoning
behind this?
Here's the stacktrace which points to the method which returns the
true/false
0 = {StackTraceElement@23279}
"org.owasp.validator.html.model.Attribute.matchesAllowedExpression(Attribute.java:67)"
1 = {StackTraceElement@23280}
"org.apache.sling.xss.impl.XSSFilterImpl.runHrefValidation(XSSFilterImpl.java:205)"
2 = {StackTraceElement@23281}
"org.apache.sling.xss.impl.XSSFilterImpl.isValidHref(XSSFilterImpl.java:191)"
3 = {StackTraceElement@23282}
"org.apache.sling.xss.impl.XSSAPIImpl.getValidHref(XSSAPIImpl.java:249)"
4 = {StackTraceElement@23283}
"com.adobe.granite.xss.impl.XSSAPIImpl.getValidHref(XSSAPIImpl.java:52)"
Regards
Satya Deep
[1] -
https://github.com/apache/sling-org-apache-sling-xss/blob/0d2d8320a48f23ab07f636bf5be70c54cd13bba9/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java#L178
