rombert commented on code in PR #28:
URL:
https://github.com/apache/sling-org-apache-sling-xss/pull/28#discussion_r915601442
##########
pom.xml:
##########
@@ -188,21 +177,27 @@
<!--
======================================================================= -->
<dependencies>
<dependency>
- <groupId>org.owasp.antisamy</groupId>
- <artifactId>antisamy</artifactId>
- <version>1.6.4</version>
+ <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
+ <artifactId>owasp-java-html-sanitizer</artifactId>
+ <version>20211018.2</version>
+ <scope>provided</scope>
Review Comment:
The reason for embedding the bundle is that we're using reflection to remove
some features which conflict with the way we want to use it, see for instance
https://github.com/apache/sling-org-apache-sling-xss/blob/7d5b533f190ebf02a8c837546f2d230098733ecc/src/main/java/org/apache/sling/xss/impl/CustomPolicy.java#L243-L253
.
The HTML Sanitizer insists on setting some sane defaults, which is good in
most scenarios. On the other hand, we expect to configure everything from
scratch using an AntiSamy config so we reconcile them by simply nuking their
defaults.
If we allow the sanitizer library to be deployed as a bundle we run the risk
of them changing the internals and breaking the way we access then.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
