Radu Cotescu created SLING-8851:
-----------------------------------
Summary: Skip namespace mangling
Key: SLING-8851
URL: https://issues.apache.org/jira/browse/SLING-8851
Project: Sling
Issue Type: Improvement
Components: XSS Protection API
Reporter: Radu Cotescu
Assignee: Radu Cotescu
Fix For: XSS Protection API 2.1.18
Historically, Sling needed to escape JCR namespaces from URL paths, since the
":" character posed a problem for older browsers. However, RFC 3986 [0] allows
the colon in path segments and all current browsers don't have an issue with
this for years.
The XSSAPI implementation currently present in Sling attempts to mangle JCR
namespaces, but without any knowledge of the actual registered namespaces.
Given that colon is not really a problem any more and that resource paths
should anyways be passed through the
{{org.apache.sling.api.resource.ResourceResolver#map(java.lang.String)}} API
before being exposed as URLs, the code that attempts to perform mangling in the
{{XSSAPI#getValidHref}} implementation should be removed.
For more details consult the dev list [1].
[0] - https://tools.ietf.org/html/rfc3986
[1] - https://s.apache.org/4ga5i
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
