Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-7741

org.apache.sling.xss.impl.XSSAPIImpl#getValidHref doesn't correctly handle the ":" character in URL fragments

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • XSS Protection API 1.0.0, XSS Protection API 2.0.0, XSS Protection API Compat 1.1.0
    • XSS Protection API 2.0.8
    • XSS Protection API
    • None

    Description

      org.apache.sling.xss.impl.XSSAPIImpl#getValidHref doesn't correctly handle the ":" character in URL fragments:

      https://sling.apache.org/#fragment:test -> https://sling.apache.org/_#fragment_test

      Namespace mangling should only occur for the path section of the URL.

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. SLING-7770 URLs ending in "/" get filtered by AntiSamy

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. SLING-7814 URLs with JCR namespaces can get double encoded by XSSAPI.getValidHref

          • Major - Major loss of function.
          • Closed
          links to

          Web Link GitHub Pull Request #2

          Web Link GitHub Pull Request #3

          Activity

            People

              radu Radu Cotescu
              radu Radu Cotescu
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h
                  1h