Hi Satya, I think you meant the other way around, regarding the URLs (you get false for /conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵).
I suspect it has something to do with the characters from "㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵”, which are not valid according to the configured regex. For more details check [2]. Cheers, Radu [2] - https://github.com/apache/sling-org-apache-sling-xss/blob/0d2d8320a48f23ab07f636bf5be70c54cd13bba9/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java#L112-L113 > On 24 Aug 2018, at 14:17, Satya Deep Maheshwari <m.satyad...@gmail.com> wrote: > > Hi > > I had a query on XSSFilterImpl.isValidHref [1]. This method returns true > for the following url: > > /conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵 > > but returns false for the following url > > /conf/global/settings/dam/adminui-extension/imageprofile/ЁЖū11 > > which implies that > > /conf/global/settings/dam/adminui-extension/imageprofile/ЁЖū11 is a valid > href and > > and > > /conf/global/settings/dam/adminui-extension/imageprofile/㐀ЁЖū◆龋丂郎䲢䴘⺁〢⊕〾㐂㐆䶵 > is not a valid href > > which seems a bit strange to me. Can someone please explain the reasoning > behind this? > > Here's the stacktrace which points to the method which returns the > true/false > > 0 = {StackTraceElement@23279} > "org.owasp.validator.html.model.Attribute.matchesAllowedExpression(Attribute.java:67)" > 1 = {StackTraceElement@23280} > "org.apache.sling.xss.impl.XSSFilterImpl.runHrefValidation(XSSFilterImpl.java:205)" > 2 = {StackTraceElement@23281} > "org.apache.sling.xss.impl.XSSFilterImpl.isValidHref(XSSFilterImpl.java:191)" > 3 = {StackTraceElement@23282} > "org.apache.sling.xss.impl.XSSAPIImpl.getValidHref(XSSAPIImpl.java:249)" > 4 = {StackTraceElement@23283} > "com.adobe.granite.xss.impl.XSSAPIImpl.getValidHref(XSSAPIImpl.java:52)" > > Regards > Satya Deep > > [1] - > https://github.com/apache/sling-org-apache-sling-xss/blob/0d2d8320a48f23ab07f636bf5be70c54cd13bba9/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java#L178