Robert Munteanu created SLING-11326: ---------------------------------------
Summary: Deprecate processing of embedded style sheets Key: SLING-11326 URL: https://issues.apache.org/jira/browse/SLING-11326 Project: Sling Issue Type: Improvement Components: XSS Protection API Reporter: Robert Munteanu Assignee: Robert Munteanu Fix For: XSS Protection API 2.2.20 When validating HTML, external stylesheets embedded in style tags are loaded and inlined. For example, validating --- <h1>Hello, world</h1> <style type="text/css"> h1 { color: red } @import "https://example.com/my-awesome-input.css" </style> --- Will access https://example.com/my-awesome-input.css, inline it in the style tag, and validate it. This functionality is disabled in the default configuration we ship with Sling. I think this can have a stability and performance impact when enabled and therefore I propose that we stop supporting it in the future. See also https://lists.apache.org/thread/l1yfmc6jkd9gx5bmx509dy25dc6o434m -- This message was sent by Atlassian Jira (v8.20.7#820007)