Details

      Description

      While looking at the extensive dependency list of the XSS module (which are all caused by the embedded owasp.org artifacts), I found out that the versions we use are outdated.
      So I think we should update those to the latest.
      Furthermore, the embedded antisamy library does not look to be maintained anymore
      (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project)
      instead the html sanitizer looks much fresher and claims to be faster
      https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
      I think we should switch. Quick analysis:
      Pros:

      Actively maintained
      Much faster
      Lightweight (also from a dependency POV)

      Cons:

      Incompatible (and runtime-object based) configuration
      Not completely feature equivalent (but close enough and better in some aspects)

      Some investigation is needed on how
      a) filter rules can be configured (e.g. sling configurations, file based, code bundle, ... ?)
      b) existing configurations can be migrated

        Attachments

          Activity

            People

            • Assignee:
              radu.cotescu Radu Cotescu
              Reporter:
              cziegeler Carsten Ziegeler
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: