sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Konrad Windszus (JIRA)" <j...@apache.org>
Subject [jira] [Created] (SLING-7703) XSSFilter.filter(XSSFilter.DEFAULT_CONTEXT, ...) unescapes given unicode escape sequences
Date Sat, 02 Jun 2018 10:46:00 GMT
Konrad Windszus created SLING-7703:
--------------------------------------

             Summary: XSSFilter.filter(XSSFilter.DEFAULT_CONTEXT, ...) unescapes given unicode
escape sequences
                 Key: SLING-7703
                 URL: https://issues.apache.org/jira/browse/SLING-7703
             Project: Sling
          Issue Type: Bug
          Components: XSS Protection API
    Affects Versions: XSS Protection API 2.0.6
            Reporter: Konrad Windszus


When giving a unicode escape sequence like 
{code}
test &#9989; test
{code}
to {{XSSFilter.filter(...)}} the returned value contains the unescaped character.

This is always a problem if the output is not UTF-8.
The expected behaviour is that those non-dangerous unicode escape sequence pass the filter
without getting unescaped.

{{XSSFilter.filter(...)}} is used e.g. from HTL with display context "html" (https://github.com/apache/sling-org-apache-sling-scripting-sightly/blob/f46ff4d97b96d21da521651fe9f789f89253452f/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java#L123)




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message