IIRC there was at least one other reason for namespace mangling: to
support a filesystem based caching proxy where URLs are mapped to FS
paths. AFAIK windows doesn't allow the colon character in file or
folder names.
Whether that's an architecturally sound implementation choice is of
course anothe
Makes sense to me! I definitely agree this is unexpected behavior and given
current browser support the risk is low.
On Tue, Nov 19, 2019 at 12:03 PM Radu Cotescu wrote:
> Hi Dan,
>
> > On 19 Nov 2019, at 16:18, Daniel Klco wrote:
> >
> > I've seen issues with this in the wild. A client was att
Hi Dan,
> On 19 Nov 2019, at 16:18, Daniel Klco wrote:
>
> I've seen issues with this in the wild. A client was attempting to link to
> external URLs containing colons (bad practice I know, but you get health
> care web services to get out of the 1990's) in a HTL script which was
> getting mangl
the URLs nowadays,
and +1 to remove the mangling from the XSS handling.
stefan
>-Original Message-
>From: Radu Cotescu [mailto:r...@apache.org]
>Sent: Tuesday, November 19, 2019 4:02 PM
>To: Sling Dev
>Subject: [org.apache.sling.xss] namespace mangling
>
>Hi,
>
>
I've seen issues with this in the wild. A client was attempting to link to
external URLs containing colons (bad practice I know, but you get health
care web services to get out of the 1990's) in a HTL script which was
getting mangled even though the URL was not a JCR path.
My concern is that if th
Hi,
From the very beginning the org.apache.sling.xss code was donated to Sling it
provided an implementation of the XSSAPI.getValidHref that mangles JCR
namespaces from the passed URLs (let’s not comment on the naming). However, the
code that does this has no information about the registered na