Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
XSS Protection API 1.0.0, XSS Protection API 2.0.0, XSS Protection API Compat 1.1.0
-
None
Description
org.apache.sling.xss.impl.XSSAPIImpl#getValidHref doesn't correctly handle the ":" character in URL fragments:
https://sling.apache.org/#fragment:test -> https://sling.apache.org/_#fragment_test
Namespace mangling should only occur for the path section of the URL.
Attachments
Attachments
Issue Links
- causes
-
SLING-7770 URLs ending in "/" get filtered by AntiSamy
- Closed
-
SLING-7814 URLs with JCR namespaces can get double encoded by XSSAPI.getValidHref
- Closed
- links to