[jira] [Created] (SLING-12388) Handle duplicate literals

Mon, 22 Jul 2024 06:00:33 -0700 

Joerg Hoh created SLING-12388:
---------------------------------

             Summary: Handle duplicate literals
                 Key: SLING-12388
                 URL: https://issues.apache.org/jira/browse/SLING-12388
             Project: Sling
          Issue Type: Improvement
          Components: XSS Protection API
            Reporter: Joerg Hoh


When testing the most recent SNAPSHOT version of the bundle against a recent 
AEM as Cloud Service instance, I got this exception:

{noformat}
13.06.2024 10:04:54.106 *ERROR* [FelixStartLevel] 
org.apache.sling.xss.impl.XSSFilterImpl Unable to load policy from 
/libs/cq/xssprotection/config.xml
java.lang.IllegalArgumentException: duplicate element: a
        at 
java.base/java.util.ImmutableCollections$SetN.<init>(ImmutableCollections.java:604)
        at java.base/java.util.Set.of(Set.java:701)
        at org.owasp.shim.ForJava9AndLater.setOf(ForJava9AndLater.java:61) 
[org.apache.sling.xss:2.4.1.SNAPSHOT]
        at 
org.owasp.html.HtmlPolicyBuilder$AttributeBuilder.matching(HtmlPolicyBuilder.java:933)
 [org.apache.sling.xss:2.4.1.SNAPSHOT]
        at 
org.apache.sling.xss.impl.AntiSamyPolicyAdapter.<init>(AntiSamyPolicyAdapter.java:145)
 [org.apache.sling.xss:2.4.1.SNAPSHOT]
        at 
org.apache.sling.xss.impl.HtmlSanitizer.<init>(HtmlSanitizer.java:40) 
[org.apache.sling.xss:2.4.1.SNAPSHOT]
        at 
org.apache.sling.xss.impl.PolicyHandler.<init>(PolicyHandler.java:47) 
[org.apache.sling.xss:2.4.1.SNAPSHOT]
        at 
org.apache.sling.xss.impl.XSSFilterImpl.setActivePolicy(XSSFilterImpl.java:331) 
[org.apache.sling.xss:2.4.1.SNAPSHOT]
        at 
org.apache.sling.xss.impl.XSSFilterImpl.updatePolicy(XSSFilterImpl.java:293) 
[org.apache.sling.xss:2.4.1.SNAPSHOT]
        at 
org.apache.sling.xss.impl.XSSFilterImpl.activate(XSSFilterImpl.java:269) 
[org.apache.sling.xss:2.4.1.SNAPSHOT]
        at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        [...]
13.06.2024 10:04:54.109 *INFO* [FelixStartLevel] 
org.apache.sling.xss.impl.XSSFilterImpl Could not find a policy file at the 
configured location cq/xssprotection/config.xml. Attempting to use the default 
resource embedded in the bundle.
13.06.2024 10:04:54.282 *INFO* [FelixStartLevel] 
org.apache.sling.xss.impl.XSSFilterImpl Installed policy from the embedded 
SLING-INF/content/config.xml file from the bundle.
{noformat}

Analyzing this I found this snippet of the configuration is responsible for it:

{noformat}
<tag name="ol" action="validate">
                        <attribute name="start">
                                <regexp-list>
                                        <regexp value="[0-9]+"/>
                                </regexp-list>
                        </attribute>
                        <attribute name="type">
                                <literal-list>
                                        <literal value="a"/>
                                        <literal value="A"/>
                                        <literal value="i"/>
                                        <literal value="I"/>
                                        <literal value="1"/>
                                        <literal value="Ordered"/>
                                </literal-list>
                        </attribute>
                </tag>
{noformat}

This configuration works with the previous version 2.4.0 of the XSS bundle. 
When I remove the uppercase variants of the literals from the configuration, I 
don't get the exception anymore with the latest SNAPSHOT.










--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to