Hi Andy, On Mon, 2019-04-08 at 10:23 -0700, Andreas Schaefer wrote: > Hi > > On the AEM 6.5 GA release I encountered an issue where a customer is > using XSSSupport but that is not in the Uber-jar nor is it in the > 2.4.0 sling scripting jsp tag lib artifact. > > Is there a replacement for XSSSupport or is the best way to use > XSSAPI directly?
I cannot speak for AEM but from a Sling POV it would be better to use the XSS API directly. That's the service we want to use for XSS protection, the one contained in the taglib bundle was suitable mainly for consumption within the taglibs. There is also the org.apache.sling.scripting.jsp.taglib.compat bundle, which contains the old XSSSupport, but I would recommend to switch to the XSS API. Thanks, Robert > > Cheers - Andy Schaefer > > > On Feb 11, 2019, at 7:23 AM, GitBox <[email protected]> wrote: > > > > rombert commented on issue #1: SLING-8266 - Stop embedding ESAPI > > URL: > > https://github.com/apache/sling-org-apache-sling-scripting-jsp-taglib/pull/1#issuecomment-462367402 > > > > > > Following @cziegeler 's suggestion I've moved 'helper' package > > classes to 'internal' and will create a new compat bundle for the > > old `XSSSupport` class. > > > > The reason (from [SLING-8019]( > > https://issues.apache.org/jira/browse/SLING-8019) ) is that there > > is no need for a second XSS API now that we have the proper XSS > > bundle. > > > > ---------------------------------------------------------------- > > This is an automated message from the Apache Git Service. > > To respond to the message, please log on GitHub and use the > > URL above to go to the specific comment. > > > > For queries about this service, please contact Infrastructure at: > > [email protected] > > > > > > With regards, > > Apache Git Services
