[jira] [Commented] (SLING-7231) Move to owasp sanitizer library

[Radu Cotescu (Jira)]

    [ 
https://issues.apache.org/jira/browse/SLING-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17447440#comment-17447440
 ] 

Radu Cotescu commented on SLING-7231:
-------------------------------------

[~tvogel], the goal would be to completely replace replace at least AntiSamy 
(and its dependencies) with the HTML Sanitizer. If you can replace the other 
two as well, while still offering a meaningful implementation for the two APIs 
this bundle provides, namely {{org.apache.sling.xss.XSSAPI}} and 
{{{}org.apache.sling.xss.XSSFilter{}}}, then it's obviously a bigger win.

Another thing to keep in mind is trying to find a way to import AntiSamy 
configurations (you have an example in the bundle itself), but apply them to 
the HTML Sanitizer.

The {{xml-apis}} and {{xalan}} are only needed for AntiSamy. Parsing the 
AntiSamy config file shouldn't necessarily require these two.

> Move to owasp sanitizer library
> -------------------------------
>
>                 Key: SLING-7231
>                 URL: https://issues.apache.org/jira/browse/SLING-7231
>             Project: Sling
>          Issue Type: Improvement
>          Components: XSS Protection API
>            Reporter: Carsten Ziegeler
>            Assignee: Tatyana
>            Priority: Critical
>              Labels: gsoc2018, java, mentor
>
> While looking at the extensive dependency list of the XSS module (which are 
> all caused by the embedded owasp.org artifacts), I found out that the 
> versions we use are outdated.
> So I think we should update those to the latest.
> Furthermore, the embedded antisamy library does not look to be maintained 
> anymore
> (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project)
> instead the html sanitizer looks much fresher and claims to be faster
> https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
> I think we should switch. Quick analysis:
> Pros:
>     Actively maintained
>     Much faster
>     Lightweight (also from a dependency POV)
> Cons:
>     Incompatible (and runtime-object based) configuration
>     Not completely feature equivalent (but close enough and better in some 
> aspects)
> Some investigation is needed on how
> a) filter rules can be configured (e.g. sling configurations, file based, 
> code bundle, ... ?)
> b) existing configurations can be migrated 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)