Julian Sedding created SLING-12368:
--------------------------------------
Summary: regression: rule for "ol" tag fails on java 9+ after
SLING-12276
Key: SLING-12368
URL: https://issues.apache.org/jira/browse/SLING-12368
Project: Sling
Issue Type: Improvement
Components: XSS Protection API
Reporter: Julian Sedding
Assignee: Julian Sedding
Fix For: XSS Protection API 2.4.2
The dependency update in SLING-12276 brings a change, where
{{java.lang.Set.of()}} methods are used _if_ the runtime is java 9+.
{{Set.of()}} throws an exception if any two arguments are equal.
The configuration for the "ol" tag is as follows:
{code:xml}
<tag name="ol" action="validate">
<attribute name="start">
<regexp-list>
<regexp value="[0-9]+"/>
</regexp-list>
</attribute>
<attribute name="type">
<literal-list>
<literal value="a"/>
<literal value="A"/>
<literal value="i"/>
<literal value="I"/>
<literal value="1"/>
</literal-list>
</attribute>
</tag>
{code}
The literals "a", "A", "i", "I", "1" are all converted to lower case and result
in the following call {{{}Set.of("a", "a", "i", "i", "1"){}}}. On Java 9+, this
results in the following exception:
{noformat}
java.lang.IllegalArgumentException: duplicate element: a
at
java.base/java.util.ImmutableCollections$SetN.<init>(ImmutableCollections.java:587)
at java.base/java.util.Set.of(Set.java:701)
at org.owasp.shim.ForJava9AndLater.setOf(ForJava9AndLater.java:61)
at
org.owasp.html.HtmlPolicyBuilder$AttributeBuilder.matching(HtmlPolicyBuilder.java:933)
at
org.apache.sling.xss.impl.AntiSamyPolicyAdapter.<init>(AntiSamyPolicyAdapter.java:146)
at org.apache.sling.xss.impl.HtmlSanitizer.<init>(HtmlSanitizer.java:40)
...
{noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
