[
https://issues.apache.org/jira/browse/SLING-5946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988471#comment-16988471
]
Ilguiz Latypov commented on SLING-5946:
---------------------------------------
[~radu], [~rombert], [~vladb]
> XSSAPI#encodeForJSString is not restrictive enough
> --------------------------------------------------
>
> Key: SLING-5946
> URL: https://issues.apache.org/jira/browse/SLING-5946
> Project: Sling
> Issue Type: Bug
> Components: Extensions
> Affects Versions: XSS Protection API 1.0.8
> Reporter: Vlad Bailescu
> Assignee: Robert Munteanu
> Priority: Major
> Fix For: XSS Protection API 1.0.12
>
> Attachments: SLING_5946.patch
>
>
> Since SLING-5445, {{XSSAPI#encodeForJSString}} is no longer properly encoding
> {{</script>}} and {{<!--}}. We should revert to using OWASP
> {{Encode#forJavaScript}} and handle - characters correctly for JSON too, by
> replacing them with {{\u002D}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
