[
https://issues.apache.org/jira/browse/SLING-11326?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Munteanu closed SLING-11326.
-----------------------------------
> Deprecate processing of embedded style sheets
> ---------------------------------------------
>
> Key: SLING-11326
> URL: https://issues.apache.org/jira/browse/SLING-11326
> Project: Sling
> Issue Type: Improvement
> Components: XSS Protection API
> Reporter: Robert Munteanu
> Assignee: Robert Munteanu
> Priority: Major
> Fix For: XSS Protection API 2.2.20
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> When validating HTML, external stylesheets embedded in style tags are
> loaded and inlined. For example, validating
> ---
> <h1>Hello, world</h1>
> <style type="text/css">
> h1 { color: red }
> @import "https://example.com/my-awesome-input.css";
> </style>
> ---
> Will access https://example.com/my-awesome-input.css, inline it in the
> style tag, and validate it.
> This functionality is disabled in the default configuration we ship
> with Sling. I think this can have a stability and performance impact
> when enabled and therefore I propose that we stop supporting it in the
> future.
> See also https://lists.apache.org/thread/l1yfmc6jkd9gx5bmx509dy25dc6o434m
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
