Re: [RFC] Stop supporting embedded stylesheets in the Sling XSS bundle
Thanks Carsten and Oliver. I've filed
https://issues.apache.org/jira/browse/SLING-11326 and will create a
release which includes it soon.
Robert
On Thu, 2022-05-19 at 14:29 +0200, Oliver Lietz wrote:
> On Thursday, 19 May 2022 14:11:14 CEST Robert Munteanu wrote:
> > Hi,
> >
> > Our Sling XSS bundle uses AntiSamy for HTML sanitisation. There is
> > an
> > effort to move over to the Java HTML cleaner [1]. Mapping out the
> > functionality currently supported revealead a feature that is IMO
> > of
> > uncertain value.
> >
> > When validating HTML, external stylesheets embedded in style tags
> > are
> > loaded and inlined. For example, validating
> >
> > ---
> > Hello, world
> >
> > h1 { color: red }
> > @import "https://example.com/my-awesome-input.css";
> >
> > ---
> >
> > Will access https://example.com/my-awesome-input.css, inline it in
> > the
> > style tag, and validate it.
> >
> > This functionality is disabled in the default configuration we ship
> > with Sling. I think this can have a stability and performance
> > impact
> > when enabled and therefore I propose that we stop supporting it in
> > the
> > future.
> >
> > I would start with logging a WARN message when stylesheet embedding
> > is
> > supported for the next patch version of the XSS bundle and then
> > removing the functionality in the next minor version.
> >
> > Thoughts?
>
> +1 deprecate and remove
>
> O.
>
>
> > Thanks,
> > Robert
> >
> >
> > [1]: https://issues.apache.org/jira/browse/SLING-7231
>
>
>
>
Re: [RFC] Stop supporting embedded stylesheets in the Sling XSS bundle
On Thursday, 19 May 2022 14:11:14 CEST Robert Munteanu wrote:
> Hi,
>
> Our Sling XSS bundle uses AntiSamy for HTML sanitisation. There is an
> effort to move over to the Java HTML cleaner [1]. Mapping out the
> functionality currently supported revealead a feature that is IMO of
> uncertain value.
>
> When validating HTML, external stylesheets embedded in style tags are
> loaded and inlined. For example, validating
>
> ---
> Hello, world
>
> h1 { color: red }
> @import "https://example.com/my-awesome-input.css";
>
> ---
>
> Will access https://example.com/my-awesome-input.css, inline it in the
> style tag, and validate it.
>
> This functionality is disabled in the default configuration we ship
> with Sling. I think this can have a stability and performance impact
> when enabled and therefore I propose that we stop supporting it in the
> future.
>
> I would start with logging a WARN message when stylesheet embedding is
> supported for the next patch version of the XSS bundle and then
> removing the functionality in the next minor version.
>
> Thoughts?
+1 deprecate and remove
O.
> Thanks,
> Robert
>
>
> [1]: https://issues.apache.org/jira/browse/SLING-7231
Re: [RFC] Stop supporting embedded stylesheets in the Sling XSS bundle
Hi,
agreed, its better do not have this. I guess arbitrary embedding of
whatever is referenced is although not the best idea.
+1
Carsten
Am 19.05.2022 um 14:11 schrieb Robert Munteanu:
Hi,
Our Sling XSS bundle uses AntiSamy for HTML sanitisation. There is an
effort to move over to the Java HTML cleaner [1]. Mapping out the
functionality currently supported revealead a feature that is IMO of
uncertain value.
When validating HTML, external stylesheets embedded in style tags are
loaded and inlined. For example, validating
---
Hello, world
h1 { color: red }
@import "https://example.com/my-awesome-input.css";
---
Will access https://example.com/my-awesome-input.css, inline it in the
style tag, and validate it.
This functionality is disabled in the default configuration we ship
with Sling. I think this can have a stability and performance impact
when enabled and therefore I propose that we stop supporting it in the
future.
I would start with logging a WARN message when stylesheet embedding is
supported for the next patch version of the XSS bundle and then
removing the functionality in the next minor version.
Thoughts?
Thanks,
Robert
[1]: https://issues.apache.org/jira/browse/SLING-7231
--
Carsten Ziegeler
Adobe
cziege...@apache.org
[RFC] Stop supporting embedded stylesheets in the Sling XSS bundle
Hi,
Our Sling XSS bundle uses AntiSamy for HTML sanitisation. There is an
effort to move over to the Java HTML cleaner [1]. Mapping out the
functionality currently supported revealead a feature that is IMO of
uncertain value.
When validating HTML, external stylesheets embedded in style tags are
loaded and inlined. For example, validating
---
Hello, world
h1 { color: red }
@import "https://example.com/my-awesome-input.css";
---
Will access https://example.com/my-awesome-input.css, inline it in the
style tag, and validate it.
This functionality is disabled in the default configuration we ship
with Sling. I think this can have a stability and performance impact
when enabled and therefore I propose that we stop supporting it in the
future.
I would start with logging a WARN message when stylesheet embedding is
supported for the next patch version of the XSS bundle and then
removing the functionality in the next minor version.
Thoughts?
Thanks,
Robert
[1]: https://issues.apache.org/jira/browse/SLING-7231
