sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Konrad Windszus (Jira)" <j...@apache.org>
Subject [jira] [Commented] (SLING-6793) Remove unused methods from XSSAPI
Date Fri, 13 Mar 2020 13:03:00 GMT

    [ https://issues.apache.org/jira/browse/SLING-6793?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17058708#comment-17058708
] 

Konrad Windszus commented on SLING-6793:
----------------------------------------

[~cziegeler] Although it is pretty easy to get this in Java, there is no [BindingsValuesProvider|https://github.com/apache/sling-org-apache-sling-scripting-api/blob/master/src/main/java/org/apache/sling/scripting/api/BindingsValuesProvider.java]
for the XSSApi (for any script engine). So what is your recommended way now to get the XSSApi
in JSP?

> Remove unused methods from XSSAPI
> ---------------------------------
>
>                 Key: SLING-6793
>                 URL: https://issues.apache.org/jira/browse/SLING-6793
>             Project: Sling
>          Issue Type: Improvement
>          Components: XSS Protection API
>            Reporter: Carsten Ziegeler
>            Assignee: Karl Pauls
>            Priority: Major
>             Fix For: XSS Protection API 2.0.0
>
>
> The XSSAPI defines two methods:
>     XSSAPI getRequestSpecificAPI(SlingHttpServletRequest request);
>     XSSAPI getResourceResolverSpecificAPI(ResourceResolver resourceResolver);
> which imply that there is some user specific xss checking for validating hrefs. However
user specific xss validation is neither implemented nor does it make sense.
> Therefore we should remove these methods
> At the same time we should remove the XSSAPIAdapterFactory as this is abusing the adapter
pattern. Getting an XSSAPI service in Java or JSP is easy and there is no need to use the
adapter pattern here.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message