Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-5946

XSSAPI#encodeForJSString is not restrictive enough

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • XSS Protection API 1.0.8
    • XSS Protection API 1.0.12
    • Extensions
    • None

    Description

      Since SLING-5445, XSSAPI#encodeForJSString is no longer properly encoding </script> and <!--. We should revert to using OWASP Encode#forJavaScript and handle - characters correctly for JSON too, by replacing them with \u002D

      Attachments

        1. SLING_5946.patch
          2 kB
          Vlad Bailescu

        Issue Links

          breaks

          Bug - A problem which impairs or prevents the functions of the product. SLING-11768 Display Context "scriptString" encodes hyphen (-) as \u002D

          • Major - Major loss of function.
          • Open
          causes

          Bug - A problem which impairs or prevents the functions of the product. SLING-8879 Make JSONObject#toString and XSSAPI#encodeForJSString both safe and correct for pasting into a javascript string literal

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Activity

            People

              rombert Robert Munteanu
              vladb Vlad Bailescu
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: