[
https://issues.apache.org/jira/browse/SLING-10391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17754136#comment-17754136
]
Stefan Seifert commented on SLING-10391:
----------------------------------------
switching to {{org.apache.sling.xss.impl.XSSAPIImpl}} and mocking only the
XSSFilter works well, but comes with a cosmetic downside. on the first unit
test run ESAPI prints a bunch of log messages to system.out like
{noformat}
ESAPI: WARNING: System property [org.owasp.esapi.opsteam] is not set
ESAPI: WARNING: System property [org.owasp.esapi.devteam] is not set
ESAPI: Attempting to load ESAPI.properties via file I/O.
ESAPI: Attempting to load ESAPI.properties as resource file via file I/O.
ESAPI: Not found in 'org.owasp.esapi.resources' directory or file not readable:
D:\Develop\github\wcm-io\io.wcm.samples\bundles\core\ESAPI.properties
ESAPI: Not found in SystemResource Directory/resourceDirectory:
.esapi\ESAPI.properties
ESAPI: Not found in 'user.home' (C:\Users\stefan.seifert) directory:
C:\Users\stefan.seifert\esapi\ESAPI.properties
ESAPI: Loading ESAPI.properties via file I/O failed. Exception was:
java.io.FileNotFoundException
ESAPI: Attempting to load ESAPI.properties via the classpath.
ESAPI: SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)'
using current thread context class loader!
ESAPI: SecurityConfiguration for Validator.ConfigurationFile.MultiValued not
found in ESAPI.properties. Using default: false
ESAPI: Attempting to load validation.properties via file I/O.
ESAPI: Attempting to load validation.properties as resource file via file I/O.
ESAPI: Not found in 'org.owasp.esapi.resources' directory or file not readable:
D:\Develop\github\wcm-io\io.wcm.samples\bundles\core\validation.properties
ESAPI: Not found in SystemResource Directory/resourceDirectory:
.esapi\validation.properties
ESAPI: Not found in 'user.home' (C:\Users\stefan.seifert) directory:
C:\Users\stefan.seifert\esapi\validation.properties
ESAPI: Loading validation.properties via file I/O failed.
ESAPI: Attempting to load validation.properties via the classpath.
ESAPI: SUCCESSFULLY LOADED validation.properties via the CLASSPATH from '/
(root)' using current thread context class loader!
{noformat}
it does not seem possible to disable this output, as it is logged before the
actual logging implementation (which redirects to SLF4J as configured in
ESAPI.properties from Sling XSS) is in place. here is a discussion about this
issue https://github.com/ESAPI/esapi-java-legacy/issues/68 - they may change
the implementation in the future, but the issue is already quite antique.
> Improve MockXSSAPIImpl
> ----------------------
>
> Key: SLING-10391
> URL: https://issues.apache.org/jira/browse/SLING-10391
> Project: Sling
> Issue Type: Improvement
> Components: Testing
> Affects Versions: Testing Sling Mock 3.0.2
> Reporter: Henry Kuijpers
> Assignee: Stefan Seifert
> Priority: Major
> Fix For: Testing Sling Mock 3.4.12
>
>
> MockXSSAPIImpl only has a few very simplistic method implementations (i.e.
> for encodeForHTML it returns the input as-is).
> I think we can make some improvements to it, by:
> * Use StringEscapeUtils.escapeHtml4() to do HTML escaping (so that we can at
> least see a difference in the output)
> * Use StringEscapeUtils.escapeXml() to do XML escaping
> etc.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
