Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-7814

URLs with JCR namespaces can get double encoded by XSSAPI.getValidHref

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • XSS Protection API 2.0.8
    • XSS Protection API 2.0.14
    • Extensions
    • None

    Description

      The following URLs, when passed to org.apache.sling.xss.XSSAPI#getValidHref, get double encoded:

      1. /content/page with spaces/jcr:content
      2. /content/page%20with%20spaces/jcr:content

      The bug seems to be in the org.apache.sling.xss.impl.XSSAPIImpl#mangleNamespaces method.

       

      Attachments

        Issue Links

          is caused by

          Bug - A problem which impairs or prevents the functions of the product. SLING-7741 org.apache.sling.xss.impl.XSSAPIImpl#getValidHref doesn't correctly handle the ":" character in URL fragments

          • Major - Major loss of function.
          • Closed

          Activity

            People

              radu Radu Cotescu
              radu Radu Cotescu
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: