[
https://issues.apache.org/jira/browse/SLING-5946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988617#comment-16988617
]
Robert Munteanu commented on SLING-5946:
----------------------------------------
[~ilatypov] - thank you for digging this up and for providing the extra
context. This issue has been closed and we can't reopen it due to how our Jira
workflows are set up. Could I ask you to create a new Jira issue? Thanks
> XSSAPI#encodeForJSString is not restrictive enough
> --------------------------------------------------
>
> Key: SLING-5946
> URL: https://issues.apache.org/jira/browse/SLING-5946
> Project: Sling
> Issue Type: Bug
> Components: Extensions
> Affects Versions: XSS Protection API 1.0.8
> Reporter: Vlad Bailescu
> Assignee: Robert Munteanu
> Priority: Major
> Fix For: XSS Protection API 1.0.12
>
> Attachments: SLING_5946.patch
>
>
> Since SLING-5445, {{XSSAPI#encodeForJSString}} is no longer properly encoding
> {{</script>}} and {{<!--}}. We should revert to using OWASP
> {{Encode#forJavaScript}} and handle - characters correctly for JSON too, by
> replacing them with {{\u002D}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
