[SLING-7231] Move to owasp sanitizer library - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: XSS Protection API 2.3.0
Component/s: XSS Protection API
Labels:

Description

While looking at the extensive dependency list of the XSS module (which are all caused by the embedded owasp.org artifacts), I found out that the versions we use are outdated.
So I think we should update those to the latest.
Furthermore, the embedded antisamy library does not look to be maintained anymore
(https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project)
instead the html sanitizer looks much fresher and claims to be faster
https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
I think we should switch. Quick analysis:
Pros:

Actively maintained
Much faster
Lightweight (also from a dependency POV)

Cons:

Incompatible (and runtime-object based) configuration
Not completely feature equivalent (but close enough and better in some aspects)

Some investigation is needed on how
a) filter rules can be configured (e.g. sling configurations, file based, code bundle, ... ?)
b) existing configurations can be migrated

Attachments

Issue Links

incorporates

SLING-11592 Add missing test for sanitizer library

Closed

is related to

SLING-11244 Update Sling XSS tests to use data providers (or similar)

Closed

SLING-11425 Make URI filtering test more lenient in case of invalid XML input

Closed

SLING-11882 XSS Protection API: Apply shading/package relocation to embedded Guava+Co Libraries

Closed

links to

Pull Request #28

Activity

People

Assignee:: Tatyana Vogel

Reporter:: Carsten Ziegeler

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 08/Nov/17 06:26

Updated:: 19/Dec/24 09:01

Resolved:: 21/Sep/22 12:31

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

19h 50m