[jira] [Resolved] (SLING-12368) regression: rule for "ol" tag fails on java 9+ after SLING-12276

[Julian Sedding (Jira)]

     [ 
https://issues.apache.org/jira/browse/SLING-12368?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Julian Sedding resolved SLING-12368.
------------------------------------
    Resolution: Duplicate

Yes [~joerghoh], this is a duplicate of SLING-12388.

> regression: rule for "ol" tag fails on java 9+ after SLING-12276
> ----------------------------------------------------------------
>
>                 Key: SLING-12368
>                 URL: https://issues.apache.org/jira/browse/SLING-12368
>             Project: Sling
>          Issue Type: Improvement
>          Components: XSS Protection API
>            Reporter: Julian Sedding
>            Assignee: Julian Sedding
>            Priority: Major
>             Fix For: XSS Protection API 2.4.2
>
>
> The dependency update in SLING-12276 brings a change, where 
> {{java.lang.Set.of()}} methods are used _if_ the runtime is java 9+. 
> {{Set.of()}} throws an exception if any two arguments are equal.
> The configuration for the "ol" tag is as follows:
> {code:xml}
> <tag name="ol" action="validate">
>     <attribute name="start">
>         <regexp-list>
>             <regexp value="[0-9]+"/>
>         </regexp-list>
>     </attribute>
>     <attribute name="type">
>         <literal-list>
>             <literal value="a"/>
>             <literal value="A"/>
>             <literal value="i"/>
>             <literal value="I"/>
>             <literal value="1"/>
>         </literal-list>
>     </attribute>
> </tag>
> {code}
> The literals "a", "A", "i", "I", "1" are all converted to lower case and 
> result in the following call {{{}Set.of("a", "a", "i", "i", "1"){}}}. On Java 
> 9+, this results in the following exception:
> {noformat}
> java.lang.IllegalArgumentException: duplicate element: a
>       at 
> java.base/java.util.ImmutableCollections$SetN.<init>(ImmutableCollections.java:587)
>       at java.base/java.util.Set.of(Set.java:701)
>       at org.owasp.shim.ForJava9AndLater.setOf(ForJava9AndLater.java:61)
>       at 
> org.owasp.html.HtmlPolicyBuilder$AttributeBuilder.matching(HtmlPolicyBuilder.java:933)
>       at 
> org.apache.sling.xss.impl.AntiSamyPolicyAdapter.<init>(AntiSamyPolicyAdapter.java:146)
>       at org.apache.sling.xss.impl.HtmlSanitizer.<init>(HtmlSanitizer.java:40)
>         ...
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)