[jira] [Commented] (SLING-10391) Improve MockXSSAPIImpl
[ https://issues.apache.org/jira/browse/SLING-10391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17754462#comment-17754462 ] Stefan Seifert commented on SLING-10391: i've found a separate system property {{org.owasp.esapi.logSpecial.discard}} that allows to disable that logging, continuing in SLING-12002 > Improve MockXSSAPIImpl > -- > > Key: SLING-10391 > URL: https://issues.apache.org/jira/browse/SLING-10391 > Project: Sling > Issue Type: Improvement > Components: Testing >Affects Versions: Testing Sling Mock 3.0.2 >Reporter: Henry Kuijpers >Assignee: Stefan Seifert >Priority: Major > Fix For: Testing Sling Mock 3.4.12 > > > MockXSSAPIImpl only has a few very simplistic method implementations (i.e. > for encodeForHTML it returns the input as-is). > I think we can make some improvements to it, by: > * Use StringEscapeUtils.escapeHtml4() to do HTML escaping (so that we can at > least see a difference in the output) > * Use StringEscapeUtils.escapeXml() to do XML escaping > etc. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-10391) Improve MockXSSAPIImpl
[ https://issues.apache.org/jira/browse/SLING-10391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17754178#comment-17754178 ] Stefan Seifert commented on SLING-10391: hmm, i think that ticket does not help much. the SLF4J based ESAPI LogFactory implementation is already configured in the Sling XSS module - but the log messages above are written to stdout before ESAPI sets up it's own logging (intentionally). > Improve MockXSSAPIImpl > -- > > Key: SLING-10391 > URL: https://issues.apache.org/jira/browse/SLING-10391 > Project: Sling > Issue Type: Improvement > Components: Testing >Affects Versions: Testing Sling Mock 3.0.2 >Reporter: Henry Kuijpers >Assignee: Stefan Seifert >Priority: Major > Fix For: Testing Sling Mock 3.4.12 > > > MockXSSAPIImpl only has a few very simplistic method implementations (i.e. > for encodeForHTML it returns the input as-is). > I think we can make some improvements to it, by: > * Use StringEscapeUtils.escapeHtml4() to do HTML escaping (so that we can at > least see a difference in the output) > * Use StringEscapeUtils.escapeXml() to do XML escaping > etc. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-10391) Improve MockXSSAPIImpl
[ https://issues.apache.org/jira/browse/SLING-10391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17754172#comment-17754172 ] Robert Munteanu commented on SLING-10391: - SLING-4365 might have some useful ideas regarding how to adjust the logging. > Improve MockXSSAPIImpl > -- > > Key: SLING-10391 > URL: https://issues.apache.org/jira/browse/SLING-10391 > Project: Sling > Issue Type: Improvement > Components: Testing >Affects Versions: Testing Sling Mock 3.0.2 >Reporter: Henry Kuijpers >Assignee: Stefan Seifert >Priority: Major > Fix For: Testing Sling Mock 3.4.12 > > > MockXSSAPIImpl only has a few very simplistic method implementations (i.e. > for encodeForHTML it returns the input as-is). > I think we can make some improvements to it, by: > * Use StringEscapeUtils.escapeHtml4() to do HTML escaping (so that we can at > least see a difference in the output) > * Use StringEscapeUtils.escapeXml() to do XML escaping > etc. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-10391) Improve MockXSSAPIImpl
[ https://issues.apache.org/jira/browse/SLING-10391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17754136#comment-17754136 ] Stefan Seifert commented on SLING-10391: switching to {{org.apache.sling.xss.impl.XSSAPIImpl}} and mocking only the XSSFilter works well, but comes with a cosmetic downside. on the first unit test run ESAPI prints a bunch of log messages to system.out like {noformat} ESAPI: WARNING: System property [org.owasp.esapi.opsteam] is not set ESAPI: WARNING: System property [org.owasp.esapi.devteam] is not set ESAPI: Attempting to load ESAPI.properties via file I/O. ESAPI: Attempting to load ESAPI.properties as resource file via file I/O. ESAPI: Not found in 'org.owasp.esapi.resources' directory or file not readable: D:\Develop\github\wcm-io\io.wcm.samples\bundles\core\ESAPI.properties ESAPI: Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties ESAPI: Not found in 'user.home' (C:\Users\stefan.seifert) directory: C:\Users\stefan.seifert\esapi\ESAPI.properties ESAPI: Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException ESAPI: Attempting to load ESAPI.properties via the classpath. ESAPI: SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader! ESAPI: SecurityConfiguration for Validator.ConfigurationFile.MultiValued not found in ESAPI.properties. Using default: false ESAPI: Attempting to load validation.properties via file I/O. ESAPI: Attempting to load validation.properties as resource file via file I/O. ESAPI: Not found in 'org.owasp.esapi.resources' directory or file not readable: D:\Develop\github\wcm-io\io.wcm.samples\bundles\core\validation.properties ESAPI: Not found in SystemResource Directory/resourceDirectory: .esapi\validation.properties ESAPI: Not found in 'user.home' (C:\Users\stefan.seifert) directory: C:\Users\stefan.seifert\esapi\validation.properties ESAPI: Loading validation.properties via file I/O failed. ESAPI: Attempting to load validation.properties via the classpath. ESAPI: SUCCESSFULLY LOADED validation.properties via the CLASSPATH from '/ (root)' using current thread context class loader! {noformat} it does not seem possible to disable this output, as it is logged before the actual logging implementation (which redirects to SLF4J as configured in ESAPI.properties from Sling XSS) is in place. here is a discussion about this issue https://github.com/ESAPI/esapi-java-legacy/issues/68 - they may change the implementation in the future, but the issue is already quite antique. > Improve MockXSSAPIImpl > -- > > Key: SLING-10391 > URL: https://issues.apache.org/jira/browse/SLING-10391 > Project: Sling > Issue Type: Improvement > Components: Testing >Affects Versions: Testing Sling Mock 3.0.2 >Reporter: Henry Kuijpers >Assignee: Stefan Seifert >Priority: Major > Fix For: Testing Sling Mock 3.4.12 > > > MockXSSAPIImpl only has a few very simplistic method implementations (i.e. > for encodeForHTML it returns the input as-is). > I think we can make some improvements to it, by: > * Use StringEscapeUtils.escapeHtml4() to do HTML escaping (so that we can at > least see a difference in the output) > * Use StringEscapeUtils.escapeXml() to do XML escaping > etc. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-10391) Improve MockXSSAPIImpl
[ https://issues.apache.org/jira/browse/SLING-10391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17746051#comment-17746051 ] Robin Brouns commented on SLING-10391: -- Think that is indeed a better idea, otherwise we need to update & align the mocks on every single update of the implementation > Improve MockXSSAPIImpl > -- > > Key: SLING-10391 > URL: https://issues.apache.org/jira/browse/SLING-10391 > Project: Sling > Issue Type: Bug > Components: Testing >Affects Versions: Testing Sling Mock 3.0.2 >Reporter: Henry Kuijpers >Priority: Major > > MockXSSAPIImpl only has a few very simplistic method implementations (i.e. > for encodeForHTML it returns the input as-is). > I think we can make some improvements to it, by: > * Use StringEscapeUtils.escapeHtml4() to do HTML escaping (so that we can at > least see a difference in the output) > * Use StringEscapeUtils.escapeXml() to do XML escaping > etc. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-10391) Improve MockXSSAPIImpl
[ https://issues.apache.org/jira/browse/SLING-10391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17744191#comment-17744191 ] Stefan Seifert commented on SLING-10391: looking at the implementation of the real XSSAPIImpl i'm wondering why we mock it at all - in https://github.com/apache/sling-org-apache-sling-testing-sling-mock/pull/25 i've a different proposal that uses the real implementation, and introduces a mock for the rather complex implementation of XSSFilter instead. WDYT? > Improve MockXSSAPIImpl > -- > > Key: SLING-10391 > URL: https://issues.apache.org/jira/browse/SLING-10391 > Project: Sling > Issue Type: Bug > Components: Testing >Affects Versions: Testing Sling Mock 3.0.2 >Reporter: Henry Kuijpers >Priority: Major > > MockXSSAPIImpl only has a few very simplistic method implementations (i.e. > for encodeForHTML it returns the input as-is). > I think we can make some improvements to it, by: > * Use StringEscapeUtils.escapeHtml4() to do HTML escaping (so that we can at > least see a difference in the output) > * Use StringEscapeUtils.escapeXml() to do XML escaping > etc. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-10391) Improve MockXSSAPIImpl
[ https://issues.apache.org/jira/browse/SLING-10391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17743173#comment-17743173 ] Henry Kuijpers commented on SLING-10391: Yes [~robin.bro...@amplexor.com] > Improve MockXSSAPIImpl > -- > > Key: SLING-10391 > URL: https://issues.apache.org/jira/browse/SLING-10391 > Project: Sling > Issue Type: Bug > Components: Testing >Affects Versions: Testing Sling Mock 3.0.2 >Reporter: Henry Kuijpers >Priority: Major > > MockXSSAPIImpl only has a few very simplistic method implementations (i.e. > for encodeForHTML it returns the input as-is). > I think we can make some improvements to it, by: > * Use StringEscapeUtils.escapeHtml4() to do HTML escaping (so that we can at > least see a difference in the output) > * Use StringEscapeUtils.escapeXml() to do XML escaping > etc. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-10391) Improve MockXSSAPIImpl
[ https://issues.apache.org/jira/browse/SLING-10391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17743170#comment-17743170 ] Robin Brouns commented on SLING-10391: -- PR: https://github.com/apache/sling-org-apache-sling-testing-sling-mock/pull/24 > Improve MockXSSAPIImpl > -- > > Key: SLING-10391 > URL: https://issues.apache.org/jira/browse/SLING-10391 > Project: Sling > Issue Type: Bug > Components: Testing >Affects Versions: Testing Sling Mock 3.0.2 >Reporter: Henry Kuijpers >Priority: Major > > MockXSSAPIImpl only has a few very simplistic method implementations (i.e. > for encodeForHTML it returns the input as-is). > I think we can make some improvements to it, by: > * Use StringEscapeUtils.escapeHtml4() to do HTML escaping (so that we can at > least see a difference in the output) > * Use StringEscapeUtils.escapeXml() to do XML escaping > etc. -- This message was sent by Atlassian Jira (v8.20.10#820010)