[
https://issues.apache.org/jira/browse/SLING-6787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15982563#comment-15982563
]
Alex COLLIGNON commented on SLING-6787:
---------------------------------------
Hi [~cziegeler],
bq. Thanks for the patch.
You're welcome.
bq. I see that you replaced the usage of StringEscapeUtils.escapeHtml with
using the xss api service. Is this really required, or can't we simply use
StringEscapeUtils.escapeHtml in all the places?
{{StringEscapeUtils.escapeHtml}} is meant to not break HTML context while the
{{XSS Api}} is meant to make it safe - think javascript payload.
bq. I'm asking as this introduces a new dependency to the xss service
I think it is worth introducing the dependency but I might be a little bias
here ;-).
> HTMLRendererServlet shoud properly encode output
> ------------------------------------------------
>
> Key: SLING-6787
> URL: https://issues.apache.org/jira/browse/SLING-6787
> Project: Sling
> Issue Type: Improvement
> Components: Servlets
> Affects Versions: Servlets Get 2.1.18
> Reporter: Alex COLLIGNON
> Fix For: Servlets Get 2.1.24
>
> Attachments:
> 0001-SLING-6787-HTMLRendererServlet-shoud-properly-encode.patch
>
>
> Some of the values rendered by HTMLRendererServlet can be (better) encoded.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
