From dev-return-104591-archive-asf-public=cust-asf.ponee.io@sling.apache.org Fri Mar 13 13:03:02 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 8D29B18062C for ; Fri, 13 Mar 2020 14:03:02 +0100 (CET) Received: (qmail 86451 invoked by uid 500); 13 Mar 2020 13:03:01 -0000 Mailing-List: contact dev-help@sling.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@sling.apache.org Delivered-To: mailing list dev@sling.apache.org Received: (qmail 86430 invoked by uid 99); 13 Mar 2020 13:03:01 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Mar 2020 13:03:01 +0000 Received: from jira-he-de.apache.org (static.172.67.40.188.clients.your-server.de [188.40.67.172]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id DFDA6E2C8D for ; Fri, 13 Mar 2020 13:03:00 +0000 (UTC) Received: from jira-he-de.apache.org (localhost.localdomain [127.0.0.1]) by jira-he-de.apache.org (ASF Mail Server at jira-he-de.apache.org) with ESMTP id 2CE15780883 for ; Fri, 13 Mar 2020 13:03:00 +0000 (UTC) Date: Fri, 13 Mar 2020 13:03:00 +0000 (UTC) From: "Konrad Windszus (Jira)" To: dev@sling.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (SLING-6793) Remove unused methods from XSSAPI MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/SLING-6793?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17058708#comment-17058708 ] Konrad Windszus commented on SLING-6793: ---------------------------------------- [~cziegeler] Although it is pretty easy to get this in Java, there is no [BindingsValuesProvider|https://github.com/apache/sling-org-apache-sling-scripting-api/blob/master/src/main/java/org/apache/sling/scripting/api/BindingsValuesProvider.java] for the XSSApi (for any script engine). So what is your recommended way now to get the XSSApi in JSP? > Remove unused methods from XSSAPI > --------------------------------- > > Key: SLING-6793 > URL: https://issues.apache.org/jira/browse/SLING-6793 > Project: Sling > Issue Type: Improvement > Components: XSS Protection API > Reporter: Carsten Ziegeler > Assignee: Karl Pauls > Priority: Major > Fix For: XSS Protection API 2.0.0 > > > The XSSAPI defines two methods: > XSSAPI getRequestSpecificAPI(SlingHttpServletRequest request); > XSSAPI getResourceResolverSpecificAPI(ResourceResolver resourceResolver); > which imply that there is some user specific xss checking for validating hrefs. However user specific xss validation is neither implemented nor does it make sense. > Therefore we should remove these methods > At the same time we should remove the XSSAPIAdapterFactory as this is abusing the adapter pattern. Getting an XSSAPI service in Java or JSP is easy and there is no need to use the adapter pattern here. -- This message was sent by Atlassian Jira (v8.3.4#803005)