Re: [RFC] Stop supporting embedded stylesheets in the Sling XSS bundle
Thanks Carsten and Oliver. I've filed https://issues.apache.org/jira/browse/SLING-11326 and will create a release which includes it soon. Robert On Thu, 2022-05-19 at 14:29 +0200, Oliver Lietz wrote: > On Thursday, 19 May 2022 14:11:14 CEST Robert Munteanu wrote: > > Hi, > > > > Our Sling XSS bundle uses AntiSamy for HTML sanitisation. There is > > an > > effort to move over to the Java HTML cleaner [1]. Mapping out the > > functionality currently supported revealead a feature that is IMO > > of > > uncertain value. > > > > When validating HTML, external stylesheets embedded in style tags > > are > > loaded and inlined. For example, validating > > > > --- > > Hello, world > > > > h1 { color: red } > > @import "https://example.com/my-awesome-input.css" > > > > --- > > > > Will access https://example.com/my-awesome-input.css, inline it in > > the > > style tag, and validate it. > > > > This functionality is disabled in the default configuration we ship > > with Sling. I think this can have a stability and performance > > impact > > when enabled and therefore I propose that we stop supporting it in > > the > > future. > > > > I would start with logging a WARN message when stylesheet embedding > > is > > supported for the next patch version of the XSS bundle and then > > removing the functionality in the next minor version. > > > > Thoughts? > > +1 deprecate and remove > > O. > > > > Thanks, > > Robert > > > > > > [1]: https://issues.apache.org/jira/browse/SLING-7231 > > > >
Re: [RFC] Stop supporting embedded stylesheets in the Sling XSS bundle
On Thursday, 19 May 2022 14:11:14 CEST Robert Munteanu wrote: > Hi, > > Our Sling XSS bundle uses AntiSamy for HTML sanitisation. There is an > effort to move over to the Java HTML cleaner [1]. Mapping out the > functionality currently supported revealead a feature that is IMO of > uncertain value. > > When validating HTML, external stylesheets embedded in style tags are > loaded and inlined. For example, validating > > --- > Hello, world > > h1 { color: red } > @import "https://example.com/my-awesome-input.css" > > --- > > Will access https://example.com/my-awesome-input.css, inline it in the > style tag, and validate it. > > This functionality is disabled in the default configuration we ship > with Sling. I think this can have a stability and performance impact > when enabled and therefore I propose that we stop supporting it in the > future. > > I would start with logging a WARN message when stylesheet embedding is > supported for the next patch version of the XSS bundle and then > removing the functionality in the next minor version. > > Thoughts? +1 deprecate and remove O. > Thanks, > Robert > > > [1]: https://issues.apache.org/jira/browse/SLING-7231
Re: [RFC] Stop supporting embedded stylesheets in the Sling XSS bundle
Hi, agreed, its better do not have this. I guess arbitrary embedding of whatever is referenced is although not the best idea. +1 Carsten Am 19.05.2022 um 14:11 schrieb Robert Munteanu: Hi, Our Sling XSS bundle uses AntiSamy for HTML sanitisation. There is an effort to move over to the Java HTML cleaner [1]. Mapping out the functionality currently supported revealead a feature that is IMO of uncertain value. When validating HTML, external stylesheets embedded in style tags are loaded and inlined. For example, validating --- Hello, world h1 { color: red } @import "https://example.com/my-awesome-input.css" --- Will access https://example.com/my-awesome-input.css, inline it in the style tag, and validate it. This functionality is disabled in the default configuration we ship with Sling. I think this can have a stability and performance impact when enabled and therefore I propose that we stop supporting it in the future. I would start with logging a WARN message when stylesheet embedding is supported for the next patch version of the XSS bundle and then removing the functionality in the next minor version. Thoughts? Thanks, Robert [1]: https://issues.apache.org/jira/browse/SLING-7231 -- Carsten Ziegeler Adobe cziege...@apache.org
[RFC] Stop supporting embedded stylesheets in the Sling XSS bundle
Hi, Our Sling XSS bundle uses AntiSamy for HTML sanitisation. There is an effort to move over to the Java HTML cleaner [1]. Mapping out the functionality currently supported revealead a feature that is IMO of uncertain value. When validating HTML, external stylesheets embedded in style tags are loaded and inlined. For example, validating --- Hello, world h1 { color: red } @import "https://example.com/my-awesome-input.css" --- Will access https://example.com/my-awesome-input.css, inline it in the style tag, and validate it. This functionality is disabled in the default configuration we ship with Sling. I think this can have a stability and performance impact when enabled and therefore I propose that we stop supporting it in the future. I would start with logging a WARN message when stylesheet embedding is supported for the next patch version of the XSS bundle and then removing the functionality in the next minor version. Thoughts? Thanks, Robert [1]: https://issues.apache.org/jira/browse/SLING-7231