Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-11425

Make URI filtering test more lenient in case of invalid XML input

    XMLWordPrintableJSON

Details

    Description

      The AntiSamiPolicyTest validates URI filtering in a scenario where it passes invalid XML, where content is included after the closing slash, i.e.

      <div/style=&#92&#45&#92&#...>

      in https://github.com/apache/sling-org-apache-sling-xss/blob/bafa22b0c3dfd457bfc8187d17dd8ffd14ab2158/src/test/java/org/apache/sling/xss/impl/AntiSamyPolicyTest.java#L216 .

      The test is strict and asserts that no style tag is present, since the XML parser used by AntiSamy does not recognize the tag. This is not in line with how the style tag is treated currently, as invalid values are removed, but the style tag is preserved.

      We should make the test more lenient and accept an empty style tag. This would make it also compatible with the Java HTML Cleaner based implementation worked on in SLING-7231.

      Attachments

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. SLING-7231 Move to owasp sanitizer library

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              rombert Robert Munteanu
              rombert Robert Munteanu
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m