[
https://issues.apache.org/jira/browse/SLING-11425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Munteanu resolved SLING-11425.
-------------------------------------
Resolution: Fixed
https://github.com/apache/sling-org-apache-sling-xss/pull/25 merged, thanks
[~tvogel]!
> Make URI filtering test more lenient in case of invalid XML input
> -----------------------------------------------------------------
>
> Key: SLING-11425
> URL: https://issues.apache.org/jira/browse/SLING-11425
> Project: Sling
> Issue Type: Improvement
> Components: XSS Protection API
> Reporter: Robert Munteanu
> Assignee: Robert Munteanu
> Priority: Major
> Fix For: XSS Protection API 2.2.22
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The AntiSamiPolicyTest validates URI filtering in a scenario where it passes
> invalid XML, where content is included after the closing slash, i.e.
> {noformat}<div/style=\-\&#...>{noformat}
> in
> https://github.com/apache/sling-org-apache-sling-xss/blob/bafa22b0c3dfd457bfc8187d17dd8ffd14ab2158/src/test/java/org/apache/sling/xss/impl/AntiSamyPolicyTest.java#L216
> .
> The test is strict and asserts that no style tag is present, since the XML
> parser used by AntiSamy does not recognize the tag. This is not in line with
> how the style tag is treated currently, as invalid values are removed, but
> the style tag is preserved.
> We should make the test more lenient and accept an empty style tag. This
> would make it also compatible with the Java HTML Cleaner based implementation
> worked on in SLING-7231.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
