Hi, From the very beginning the org.apache.sling.xss code was donated to Sling it provided an implementation of the XSSAPI.getValidHref that mangles JCR namespaces from the passed URLs (let’s not comment on the naming). However, the code that does this has no information about the registered namespaces that one can see when accessing the "/system/console/status-JCR%20Namespaces” console and, instead, works with patterns. Brittle, I know.
Now, if we check the ResourceResolver API, specifically the org.apache.sling.api.resource.ResourceResolver#map(java.lang.String) method [0], we see that namespace mangling should be performed here [1]. In my opinion we should completely remove the mangling functionality from the XSS implementation, since it’s the caller’s responsibility to provide a correct request path. We cannot assume all URLs passed to the XSSAPI.getValidHref are JCR paths and I wouldn’t like to add more context in the implementation. Are there different opinions? I’d like to consult the dev list before opening an issue and removing the code in question [2]. Thanks, Radu [0] - https://github.com/apache/sling-org-apache-sling-api/blob/11bf3603155af21201b0fced2c6968d2223254b9/src/main/java/org/apache/sling/api/resource/ResourceResolver.java#L294 <https://github.com/apache/sling-org-apache-sling-api/blob/11bf3603155af21201b0fced2c6968d2223254b9/src/main/java/org/apache/sling/api/resource/ResourceResolver.java#L294> [1] - https://sling.apache.org/documentation/the-sling-engine/mappings-for-resource-resolution.html#namespace-mangling <https://sling.apache.org/documentation/the-sling-engine/mappings-for-resource-resolution.html#namespace-mangling> [2] - https://github.com/apache/sling-org-apache-sling-xss/blob/8ec9cf33080fbbb70dc6a51dea92533946295db8/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java#L194 <https://github.com/apache/sling-org-apache-sling-xss/blob/master/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java#L194>
