Jan Stettler created SLING-6865:
-----------------------------------
Summary: Default Config sling/xss/config.xml and XSSFilterImpl is
not the same
Key: SLING-6865
URL: https://issues.apache.org/jira/browse/SLING-6865
Project: Sling
Issue Type: Bug
Components: XSS Protection API
Reporter: Jan Stettler
Priority: Critical
There is a different default config for XSSFilterImpl .href
In XSSFilter the Pattern looks like
{code}
(\\s)*((ht|f)tp(s?)://|mailto:)[\\p{L}\\p{N}]+[\\p{L}\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\*\\(\\)]*(\\s)*"
{code}
in the /libs/sling/xss/config.xml itself it looks like
{code}
(\s)*((ht|f)tp(s?)://|mailto:)[\p{L}\p{N}]+[\p{L}\p{N}\p{Zs}\.\#@\$%\+&;:\-_~,\?=/!\*\(\)]*(\s)*
{code}
In the config file there is a missing (\\)
Can you fix this?
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
