[ https://issues.apache.org/jira/browse/SLING-5946?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Radu Cotescu closed SLING-5946. ------------------------------- > XSSAPI#encodeForJSString is not restrictive enough > -------------------------------------------------- > > Key: SLING-5946 > URL: https://issues.apache.org/jira/browse/SLING-5946 > Project: Sling > Issue Type: Bug > Components: Extensions > Affects Versions: XSS Protection API 1.0.8 > Reporter: Vlad Bailescu > Assignee: Robert Munteanu > Fix For: XSS Protection API 1.0.12 > > Attachments: SLING_5946.patch > > > Since SLING-5445, {{XSSAPI#encodeForJSString}} is no longer properly encoding > {{</script>}} and {{<!--}}. We should revert to using OWASP > {{Encode#forJavaScript}} and handle - characters correctly for JSON too, by > replacing them with {{\u002D}} -- This message was sent by Atlassian JIRA (v6.3.4#6332)