[
https://issues.apache.org/jira/browse/SLING-6793?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17058708#comment-17058708
]
Konrad Windszus commented on SLING-6793:
----------------------------------------
[~cziegeler] Although it is pretty easy to get this in Java, there is no
[BindingsValuesProvider|https://github.com/apache/sling-org-apache-sling-scripting-api/blob/master/src/main/java/org/apache/sling/scripting/api/BindingsValuesProvider.java]
for the XSSApi (for any script engine). So what is your recommended way now to
get the XSSApi in JSP?
> Remove unused methods from XSSAPI
> ---------------------------------
>
> Key: SLING-6793
> URL: https://issues.apache.org/jira/browse/SLING-6793
> Project: Sling
> Issue Type: Improvement
> Components: XSS Protection API
> Reporter: Carsten Ziegeler
> Assignee: Karl Pauls
> Priority: Major
> Fix For: XSS Protection API 2.0.0
>
>
> The XSSAPI defines two methods:
> XSSAPI getRequestSpecificAPI(SlingHttpServletRequest request);
> XSSAPI getResourceResolverSpecificAPI(ResourceResolver resourceResolver);
> which imply that there is some user specific xss checking for validating
> hrefs. However user specific xss validation is neither implemented nor does
> it make sense.
> Therefore we should remove these methods
> At the same time we should remove the XSSAPIAdapterFactory as this is abusing
> the adapter pattern. Getting an XSSAPI service in Java or JSP is easy and
> there is no need to use the adapter pattern here.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
