Yes, that is true, but we can change it 😊 -----Ursprüngliche Nachricht----- Von: Thomas Vandahl <t...@apache.org> Gesendet: Freitag, 21. Februar 2025 16:28 An: dev@turbine.apache.org Betreff: Re: (turbine-core) 02/02: Fix for security check to prevent XSS for default Turbine keys from parameters, which might be set or not and e.g. sed in templates and other places.
Hi Georg
> Am 21.02.2025 um 11:55 schrieb g...@apache.org:
>
> + public static boolean keyRequiresClean(String parameter) {
> + Matcher testMatcher =
> Pattern.compile(CHARACTERS_NOT_ALLOWED_IN_KEY).matcher(parameter);
> + return testMatcher.find();
It would probably be better to compile the Pattern statically, as this method
will possibly be called multiple times *per request*.
Bye, Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@turbine.apache.org
For additional commands, e-mail: dev-h...@turbine.apache.org
smime.p7s
Description: S/MIME cryptographic signature
