[
https://issues.apache.org/jira/browse/SLING-12388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17873519#comment-17873519
]
Julian Sedding commented on SLING-12388:
----------------------------------------
I added a test in https://github.com/apache/sling-org-apache-sling-xss/pull/44
> Handle duplicate literals
> -------------------------
>
> Key: SLING-12388
> URL: https://issues.apache.org/jira/browse/SLING-12388
> Project: Sling
> Issue Type: Improvement
> Components: XSS Protection API
> Reporter: Joerg Hoh
> Assignee: Joerg Hoh
> Priority: Major
> Fix For: XSS Protection API 2.4.2
>
>
> When testing the most recent SNAPSHOT version of the bundle against a recent
> AEM as Cloud Service instance, I got this exception:
> {noformat}
> 13.06.2024 10:04:54.106 *ERROR* [FelixStartLevel]
> org.apache.sling.xss.impl.XSSFilterImpl Unable to load policy from
> /libs/cq/xssprotection/config.xml
> java.lang.IllegalArgumentException: duplicate element: a
> at
> java.base/java.util.ImmutableCollections$SetN.<init>(ImmutableCollections.java:604)
> at java.base/java.util.Set.of(Set.java:701)
> at org.owasp.shim.ForJava9AndLater.setOf(ForJava9AndLater.java:61)
> [org.apache.sling.xss:2.4.1.SNAPSHOT]
> at
> org.owasp.html.HtmlPolicyBuilder$AttributeBuilder.matching(HtmlPolicyBuilder.java:933)
> [org.apache.sling.xss:2.4.1.SNAPSHOT]
> at
> org.apache.sling.xss.impl.AntiSamyPolicyAdapter.<init>(AntiSamyPolicyAdapter.java:145)
> [org.apache.sling.xss:2.4.1.SNAPSHOT]
> at
> org.apache.sling.xss.impl.HtmlSanitizer.<init>(HtmlSanitizer.java:40)
> [org.apache.sling.xss:2.4.1.SNAPSHOT]
> at
> org.apache.sling.xss.impl.PolicyHandler.<init>(PolicyHandler.java:47)
> [org.apache.sling.xss:2.4.1.SNAPSHOT]
> at
> org.apache.sling.xss.impl.XSSFilterImpl.setActivePolicy(XSSFilterImpl.java:331)
> [org.apache.sling.xss:2.4.1.SNAPSHOT]
> at
> org.apache.sling.xss.impl.XSSFilterImpl.updatePolicy(XSSFilterImpl.java:293)
> [org.apache.sling.xss:2.4.1.SNAPSHOT]
> at
> org.apache.sling.xss.impl.XSSFilterImpl.activate(XSSFilterImpl.java:269)
> [org.apache.sling.xss:2.4.1.SNAPSHOT]
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [...]
> 13.06.2024 10:04:54.109 *INFO* [FelixStartLevel]
> org.apache.sling.xss.impl.XSSFilterImpl Could not find a policy file at the
> configured location cq/xssprotection/config.xml. Attempting to use the
> default resource embedded in the bundle.
> 13.06.2024 10:04:54.282 *INFO* [FelixStartLevel]
> org.apache.sling.xss.impl.XSSFilterImpl Installed policy from the embedded
> SLING-INF/content/config.xml file from the bundle.
> {noformat}
> Analyzing this I found this snippet of the configuration is responsible for
> it:
> {noformat}
> <tag name="ol" action="validate">
> <attribute name="start">
> <regexp-list>
> <regexp value="[0-9]+"/>
> </regexp-list>
> </attribute>
> <attribute name="type">
> <literal-list>
> <literal value="a"/>
> <literal value="A"/>
> <literal value="i"/>
> <literal value="I"/>
> <literal value="1"/>
> <literal value="Ordered"/>
> </literal-list>
> </attribute>
> </tag>
> {noformat}
> This configuration works with the previous version 2.4.0 of the XSS bundle.
> When I remove the uppercase variants of the literals from the configuration,
> I don't get the exception anymore with the latest SNAPSHOT.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
