YvCeung commented on code in PR #7596:
URL: https://github.com/apache/incubator-seata/pull/7596#discussion_r2297221817
##########
server/src/main/java/org/apache/seata/server/filter/XSSHttpRequestFilter.java:
##########
@@ -60,21 +59,17 @@ public class XSSHttpRequestFilter implements
HttpRequestFilter {
Pattern.CASE_INSENSITIVE);
public XSSHttpRequestFilter() {
- String xssKeywordConfig =
CONFIG.getConfig(SERVER_HTTP_FILTER_XSS_FILTER_KEYWORDS, null);
-
- if (StringUtils.isBlank(xssKeywordConfig)) {
- this.xssKeywords = DEFAULT_XSS_KEYWORDS;
- } else {
- ObjectMapper objectMapper = new ObjectMapper();
- try {
- xssKeywords = objectMapper.readValue(xssKeywordConfig, new
TypeReference<List<String>>() {});
- } catch (JsonProcessingException e) {
- throw new IllegalArgumentException(
- "Invalid format for configuration
'server.http.filter.xss.keywords'. "
- + "Expected a JSON array like [\"<script>\",
\"vbscript:\"], but got: "
- + xssKeywordConfig,
- e);
- }
+ String xssKeywordConfig =
CONFIG.getConfig(SERVER_HTTP_FILTER_XSS_FILTER_KEYWORDS, DEFAULT_XSS_KEYWORDS);
Review Comment:
> Security is not an option.
The system itself reserves a switch for whether xssFilter is enabled or not.
If xss protection is enabled but no specific keywords for protection are
specified, the default keywords will be used
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@seata.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@seata.apache.org
For additional commands, e-mail: notifications-h...@seata.apache.org
