Vlad Bailescu created SLING-5946:
------------------------------------
Summary: XSSAPI#encodeForJSString is not restrictive enough
Key: SLING-5946
URL: https://issues.apache.org/jira/browse/SLING-5946
Project: Sling
Issue Type: Bug
Components: Extensions
Affects Versions: XSS Protection API 1.0.8
Reporter: Vlad Bailescu
Fix For: XSS Protection API 1.0.10
Since SLING-5445, {{XSSAPI#encodeForJSString}} is no longer properly encoding
{{</script>}} and {{<!--}}. We should revert to using OWASP
{{Encode#forJavaScript}} and handle {{-}} characters correctly for JSON too, by
replacing them with {{\u002D}}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
