[
https://issues.apache.org/jira/browse/SLING-4525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14386429#comment-14386429
]
ASF GitHub Bot commented on SLING-4525:
---------------------------------------
GitHub user vladbailescu opened a pull request:
https://github.com/apache/sling/pull/80
SLING-4525 - XSS protection path mangling issue
- Added proper encoding for colons in query string
- Added testcases based on Georg Koester's patch
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/vladbailescu/sling
SLING-4525_xss_protection_colon
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/sling/pull/80.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #80
----
commit 75a326cae99a54de76652e97076bdeba465e65df
Author: vladbailescu <[email protected]>
Date: 2015-03-30T09:13:51Z
SLING-4525 - XSS protection path mangling issue
- Added proper encoding for colons in query string
- Added testcases based on Georg Koester's patch
----
> XSS protection path mangling issue
> ----------------------------------
>
> Key: SLING-4525
> URL: https://issues.apache.org/jira/browse/SLING-4525
> Project: Sling
> Issue Type: Bug
> Components: Extensions
> Affects Versions: XSS Protection API 1.0.0
> Reporter: Georg Koester
> Priority: Minor
> Attachments:
> 0001-Add-testcases-for-getValidHref-showing-problem-in-co.patch
>
>
> Last part in path gets prepended with an underscore if there is a colon in
> the query string. Test appended, to be applied on
> https://github.com/apache/sling/tree/196dea678c6010
> Test output:
> Failed tests:
> XSSAPIImplTest.testGetValidHref:267 Requested
> '/content/items/searchpages.html?0_tag:id=geo'
> expected:</content/items/[searchpages.html?0_tag%3a]id=geo> but
> was:</content/items/[_searchpages.html?0_tag_]id=geo>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
