in my understanding the namespace mangling was only introduced in the olden days of sling to work around problems in some old browsers that did not support URLs with colons in it. i think those old browsers are no longer in use for many, many years. so i assume it is no problem to not mangle the URLs nowadays, and +1 to remove the mangling from the XSS handling.
stefan >-----Original Message----- >From: Radu Cotescu [mailto:[email protected]] >Sent: Tuesday, November 19, 2019 4:02 PM >To: Sling Dev >Subject: [org.apache.sling.xss] namespace mangling > >Hi, > >From the very beginning the org.apache.sling.xss code was donated to Sling >it provided an implementation of the XSSAPI.getValidHref that mangles JCR >namespaces from the passed URLs (let’s not comment on the naming). However, >the code that does this has no information about the registered namespaces >that one can see when accessing the "/system/console/status- >JCR%20Namespaces” console and, instead, works with patterns. Brittle, I >know. > >Now, if we check the ResourceResolver API, specifically the >org.apache.sling.api.resource.ResourceResolver#map(java.lang.String) method >[0], we see that namespace mangling should be performed here [1]. > >In my opinion we should completely remove the mangling functionality from >the XSS implementation, since it’s the caller’s responsibility to provide a >correct request path. We cannot assume all URLs passed to the >XSSAPI.getValidHref are JCR paths and I wouldn’t like to add more context >in the implementation. > >Are there different opinions? I’d like to consult the dev list before >opening an issue and removing the code in question [2]. > >Thanks, >Radu > > >[0] - https://github.com/apache/sling-org-apache-sling- >api/blob/11bf3603155af21201b0fced2c6968d2223254b9/src/main/java/org/apache/ >sling/api/resource/ResourceResolver.java#L294 ><https://github.com/apache/sling-org-apache-sling- >api/blob/11bf3603155af21201b0fced2c6968d2223254b9/src/main/java/org/apache/ >sling/api/resource/ResourceResolver.java#L294> >[1] - https://sling.apache.org/documentation/the-sling-engine/mappings-for- >resource-resolution.html#namespace-mangling ><https://sling.apache.org/documentation/the-sling-engine/mappings-for- >resource-resolution.html#namespace-mangling> >[2] - https://github.com/apache/sling-org-apache-sling- >xss/blob/8ec9cf33080fbbb70dc6a51dea92533946295db8/src/main/java/org/apache/ >sling/xss/impl/XSSAPIImpl.java#L194 <https://github.com/apache/sling-org- >apache-sling- >xss/blob/master/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java#L19 >4>
