Re: [xss] Inconsistent XSSFilterImpl.isValidHref behavior

Mon, 27 Aug 2018 02:21:26 -0700 

Hi Satya,

I think you meant the other way around, regarding the URLs (you get false for 
/conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵).

I suspect it has something to do with the characters from "㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵”, 
which are not valid according to the configured regex. For more details check 
[2].

Cheers,
Radu

[2] - 
https://github.com/apache/sling-org-apache-sling-xss/blob/0d2d8320a48f23ab07f636bf5be70c54cd13bba9/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java#L112-L113

> On 24 Aug 2018, at 14:17, Satya Deep Maheshwari <m.satyad...@gmail.com> wrote:
> 
> Hi
> 
> I had a query on XSSFilterImpl.isValidHref [1]. This method returns true
> for the following url:
> 
> /conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵
> 
> but returns false for the following url
> 
> /conf/global/settings/dam/adminui-extension/imageprofile/ЁЖū11
> 
> which implies that
> 
> /conf/global/settings/dam/adminui-extension/imageprofile/ЁЖū11 is a valid
> href and
> 
> and
> 
> /conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵
> is not a valid href
> 
> which seems a bit strange to me. Can someone please explain the reasoning
> behind this?
> 
> Here's the stacktrace which points to the method which returns the
> true/false
> 
> 0 = {StackTraceElement@23279}
> "org.owasp.validator.html.model.Attribute.matchesAllowedExpression(Attribute.java:67)"
> 1 = {StackTraceElement@23280}
> "org.apache.sling.xss.impl.XSSFilterImpl.runHrefValidation(XSSFilterImpl.java:205)"
> 2 = {StackTraceElement@23281}
> "org.apache.sling.xss.impl.XSSFilterImpl.isValidHref(XSSFilterImpl.java:191)"
> 3 = {StackTraceElement@23282}
> "org.apache.sling.xss.impl.XSSAPIImpl.getValidHref(XSSAPIImpl.java:249)"
> 4 = {StackTraceElement@23283}
> "com.adobe.granite.xss.impl.XSSAPIImpl.getValidHref(XSSAPIImpl.java:52)"
> 
> Regards
> Satya Deep
> 
> [1] -
> https://github.com/apache/sling-org-apache-sling-xss/blob/0d2d8320a48f23ab07f636bf5be70c54cd13bba9/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java#L178

Reply via email to