I've seen issues with this in the wild. A client was attempting to link to external URLs containing colons (bad practice I know, but you get health care web services to get out of the 1990's) in a HTL script which was getting mangled even though the URL was not a JCR path.
My concern is that if this gets removed could the converse become a problem? How would implementers know when to mangle the paths correctly and does this place the burden on the end developer to support this and thus potentially lead to errors in the implementation? Regards, Dan On Tue, Nov 19, 2019 at 10:01 AM Radu Cotescu <r...@apache.org> wrote: > Hi, > > From the very beginning the org.apache.sling.xss code was donated to Sling > it provided an implementation of the XSSAPI.getValidHref that mangles JCR > namespaces from the passed URLs (let’s not comment on the naming). However, > the code that does this has no information about the registered namespaces > that one can see when accessing the > "/system/console/status-JCR%20Namespaces” console and, instead, works with > patterns. Brittle, I know. > > Now, if we check the ResourceResolver API, specifically the > org.apache.sling.api.resource.ResourceResolver#map(java.lang.String) method > [0], we see that namespace mangling should be performed here [1]. > > In my opinion we should completely remove the mangling functionality from > the XSS implementation, since it’s the caller’s responsibility to provide a > correct request path. We cannot assume all URLs passed to the > XSSAPI.getValidHref are JCR paths and I wouldn’t like to add more context > in the implementation. > > Are there different opinions? I’d like to consult the dev list before > opening an issue and removing the code in question [2]. > > Thanks, > Radu > > > [0] - > https://github.com/apache/sling-org-apache-sling-api/blob/11bf3603155af21201b0fced2c6968d2223254b9/src/main/java/org/apache/sling/api/resource/ResourceResolver.java#L294 > < > https://github.com/apache/sling-org-apache-sling-api/blob/11bf3603155af21201b0fced2c6968d2223254b9/src/main/java/org/apache/sling/api/resource/ResourceResolver.java#L294 > > > [1] - > https://sling.apache.org/documentation/the-sling-engine/mappings-for-resource-resolution.html#namespace-mangling > < > https://sling.apache.org/documentation/the-sling-engine/mappings-for-resource-resolution.html#namespace-mangling > > > [2] - > https://github.com/apache/sling-org-apache-sling-xss/blob/8ec9cf33080fbbb70dc6a51dea92533946295db8/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java#L194 > < > https://github.com/apache/sling-org-apache-sling-xss/blob/master/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java#L194 > >
