[
https://issues.apache.org/jira/browse/SLING-8266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16764944#comment-16764944
]
Robert Munteanu commented on SLING-8266:
----------------------------------------
Thanks [~cziegeler], missed that.
I am not sure what the best way to remove the package export would be. We still
need to use the static methods on {{XSSSupport}} (see also the pull review
discussion) since we are calling the static encode method from another static
context (EL Function). The {{XSSSupport.ENCODING_MODE}} enum is also exported.
It's not used in APIs but on the other hand its string form is used to parse
input in {{SlingFunctions}} and {{EncodeTag}}.
(For the sake of the discussion let's call the new bundle
{{scripting-jsp-taglib-compat}}).
We can move the {{XSSSupport}} class to the support bundle and then import it
in the taglib bundle, but we still have that package export in Sling and
elsewhere. We can move the support class to an internal package in the taglib
bundle, but then we'd have to copy the code to the compact bundle (or inline
it?) so that it's available in the same form.
Thoughts?
> Stop embedding ESAPI
> --------------------
>
> Key: SLING-8266
> URL: https://issues.apache.org/jira/browse/SLING-8266
> Project: Sling
> Issue Type: Improvement
> Components: Scripting
> Reporter: Robert Munteanu
> Priority: Major
> Fix For: Scripting JSP Taglib 2.3.2
>
> Time Spent: 2h
> Remaining Estimate: 0h
>
> Since we now have an XSS API in Sling we should use this instead of embedding
> the ESAPI jars, since:
> - bundle size will be reduced
> - possibility to embed an out-of-date version is removed
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
