[
https://issues.apache.org/jira/browse/SLING-9694?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17185258#comment-17185258
]
Radu Cotescu commented on SLING-9694:
-------------------------------------
Copying the answer from SLING-9011:
I'm tempted to not pursue the fix here. The reason is that the newest version
of the HTML standard does not enforce this rule any more and it was most
probably based on the fact that most of the browsers are lenient and
automatically correct the URLs they use when accessing the resources.
Section 12.1.2.3 [0] of the HTML standard mentions which characters are not
allowed in an attribute value and the ampersand is not in this class. The
standard does mention that ambiguous ampersands are not allowed, but these are
defined as structures that look like a name character reference but are not
one. Given the potential of introducing an incompatible change, I'm not sure if
it would be really worth fixing this issue.
[0] - https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
> XSSAPIImpl#getValidHref does not escape the ampersand character
> ---------------------------------------------------------------
>
> Key: SLING-9694
> URL: https://issues.apache.org/jira/browse/SLING-9694
> Project: Sling
> Issue Type: Bug
> Components: XSS Protection API
> Affects Versions: XSS Protection API 1.0.0, XSS Protection API 2.0.0, XSS
> Protection API 2.1.0, XSS Protection API 2.2.0, XSS Protection API Compat
> 1.1.0
> Reporter: Radu Cotescu
> Assignee: Radu Cotescu
> Priority: Major
> Fix For: XSS Protection API 2.2.8
>
>
> {{XSSAPIImpl#getValidHref}} does not escape the ampersand character, although
> the API's JavaDoc states that the method should "Sanitize a URL for writing
> as an HTML href or src attribute value".
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
