[jira] [Commented] (SLING-10391) Improve MockXSSAPIImpl
[
https://issues.apache.org/jira/browse/SLING-10391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17754462#comment-17754462
]
Stefan Seifert commented on SLING-10391:
i've found a separate system property {{org.owasp.esapi.logSpecial.discard}}
that allows to disable that logging, continuing in SLING-12002
> Improve MockXSSAPIImpl
> --
>
> Key: SLING-10391
> URL: https://issues.apache.org/jira/browse/SLING-10391
> Project: Sling
> Issue Type: Improvement
> Components: Testing
>Affects Versions: Testing Sling Mock 3.0.2
>Reporter: Henry Kuijpers
>Assignee: Stefan Seifert
>Priority: Major
> Fix For: Testing Sling Mock 3.4.12
>
>
> MockXSSAPIImpl only has a few very simplistic method implementations (i.e.
> for encodeForHTML it returns the input as-is).
> I think we can make some improvements to it, by:
> * Use StringEscapeUtils.escapeHtml4() to do HTML escaping (so that we can at
> least see a difference in the output)
> * Use StringEscapeUtils.escapeXml() to do XML escaping
> etc.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (SLING-10391) Improve MockXSSAPIImpl
[ https://issues.apache.org/jira/browse/SLING-10391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17754178#comment-17754178 ] Stefan Seifert commented on SLING-10391: hmm, i think that ticket does not help much. the SLF4J based ESAPI LogFactory implementation is already configured in the Sling XSS module - but the log messages above are written to stdout before ESAPI sets up it's own logging (intentionally). > Improve MockXSSAPIImpl > -- > > Key: SLING-10391 > URL: https://issues.apache.org/jira/browse/SLING-10391 > Project: Sling > Issue Type: Improvement > Components: Testing >Affects Versions: Testing Sling Mock 3.0.2 >Reporter: Henry Kuijpers >Assignee: Stefan Seifert >Priority: Major > Fix For: Testing Sling Mock 3.4.12 > > > MockXSSAPIImpl only has a few very simplistic method implementations (i.e. > for encodeForHTML it returns the input as-is). > I think we can make some improvements to it, by: > * Use StringEscapeUtils.escapeHtml4() to do HTML escaping (so that we can at > least see a difference in the output) > * Use StringEscapeUtils.escapeXml() to do XML escaping > etc. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-10391) Improve MockXSSAPIImpl
[ https://issues.apache.org/jira/browse/SLING-10391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17754172#comment-17754172 ] Robert Munteanu commented on SLING-10391: - SLING-4365 might have some useful ideas regarding how to adjust the logging. > Improve MockXSSAPIImpl > -- > > Key: SLING-10391 > URL: https://issues.apache.org/jira/browse/SLING-10391 > Project: Sling > Issue Type: Improvement > Components: Testing >Affects Versions: Testing Sling Mock 3.0.2 >Reporter: Henry Kuijpers >Assignee: Stefan Seifert >Priority: Major > Fix For: Testing Sling Mock 3.4.12 > > > MockXSSAPIImpl only has a few very simplistic method implementations (i.e. > for encodeForHTML it returns the input as-is). > I think we can make some improvements to it, by: > * Use StringEscapeUtils.escapeHtml4() to do HTML escaping (so that we can at > least see a difference in the output) > * Use StringEscapeUtils.escapeXml() to do XML escaping > etc. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-10391) Improve MockXSSAPIImpl
[
https://issues.apache.org/jira/browse/SLING-10391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17754136#comment-17754136
]
Stefan Seifert commented on SLING-10391:
switching to {{org.apache.sling.xss.impl.XSSAPIImpl}} and mocking only the
XSSFilter works well, but comes with a cosmetic downside. on the first unit
test run ESAPI prints a bunch of log messages to system.out like
{noformat}
ESAPI: WARNING: System property [org.owasp.esapi.opsteam] is not set
ESAPI: WARNING: System property [org.owasp.esapi.devteam] is not set
ESAPI: Attempting to load ESAPI.properties via file I/O.
ESAPI: Attempting to load ESAPI.properties as resource file via file I/O.
ESAPI: Not found in 'org.owasp.esapi.resources' directory or file not readable:
D:\Develop\github\wcm-io\io.wcm.samples\bundles\core\ESAPI.properties
ESAPI: Not found in SystemResource Directory/resourceDirectory:
.esapi\ESAPI.properties
ESAPI: Not found in 'user.home' (C:\Users\stefan.seifert) directory:
C:\Users\stefan.seifert\esapi\ESAPI.properties
ESAPI: Loading ESAPI.properties via file I/O failed. Exception was:
java.io.FileNotFoundException
ESAPI: Attempting to load ESAPI.properties via the classpath.
ESAPI: SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)'
using current thread context class loader!
ESAPI: SecurityConfiguration for Validator.ConfigurationFile.MultiValued not
found in ESAPI.properties. Using default: false
ESAPI: Attempting to load validation.properties via file I/O.
ESAPI: Attempting to load validation.properties as resource file via file I/O.
ESAPI: Not found in 'org.owasp.esapi.resources' directory or file not readable:
D:\Develop\github\wcm-io\io.wcm.samples\bundles\core\validation.properties
ESAPI: Not found in SystemResource Directory/resourceDirectory:
.esapi\validation.properties
ESAPI: Not found in 'user.home' (C:\Users\stefan.seifert) directory:
C:\Users\stefan.seifert\esapi\validation.properties
ESAPI: Loading validation.properties via file I/O failed.
ESAPI: Attempting to load validation.properties via the classpath.
ESAPI: SUCCESSFULLY LOADED validation.properties via the CLASSPATH from '/
(root)' using current thread context class loader!
{noformat}
it does not seem possible to disable this output, as it is logged before the
actual logging implementation (which redirects to SLF4J as configured in
ESAPI.properties from Sling XSS) is in place. here is a discussion about this
issue https://github.com/ESAPI/esapi-java-legacy/issues/68 - they may change
the implementation in the future, but the issue is already quite antique.
> Improve MockXSSAPIImpl
> --
>
> Key: SLING-10391
> URL: https://issues.apache.org/jira/browse/SLING-10391
> Project: Sling
> Issue Type: Improvement
> Components: Testing
>Affects Versions: Testing Sling Mock 3.0.2
>Reporter: Henry Kuijpers
>Assignee: Stefan Seifert
>Priority: Major
> Fix For: Testing Sling Mock 3.4.12
>
>
> MockXSSAPIImpl only has a few very simplistic method implementations (i.e.
> for encodeForHTML it returns the input as-is).
> I think we can make some improvements to it, by:
> * Use StringEscapeUtils.escapeHtml4() to do HTML escaping (so that we can at
> least see a difference in the output)
> * Use StringEscapeUtils.escapeXml() to do XML escaping
> etc.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (SLING-10391) Improve MockXSSAPIImpl
[ https://issues.apache.org/jira/browse/SLING-10391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17746051#comment-17746051 ] Robin Brouns commented on SLING-10391: -- Think that is indeed a better idea, otherwise we need to update & align the mocks on every single update of the implementation > Improve MockXSSAPIImpl > -- > > Key: SLING-10391 > URL: https://issues.apache.org/jira/browse/SLING-10391 > Project: Sling > Issue Type: Bug > Components: Testing >Affects Versions: Testing Sling Mock 3.0.2 >Reporter: Henry Kuijpers >Priority: Major > > MockXSSAPIImpl only has a few very simplistic method implementations (i.e. > for encodeForHTML it returns the input as-is). > I think we can make some improvements to it, by: > * Use StringEscapeUtils.escapeHtml4() to do HTML escaping (so that we can at > least see a difference in the output) > * Use StringEscapeUtils.escapeXml() to do XML escaping > etc. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-10391) Improve MockXSSAPIImpl
[ https://issues.apache.org/jira/browse/SLING-10391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17744191#comment-17744191 ] Stefan Seifert commented on SLING-10391: looking at the implementation of the real XSSAPIImpl i'm wondering why we mock it at all - in https://github.com/apache/sling-org-apache-sling-testing-sling-mock/pull/25 i've a different proposal that uses the real implementation, and introduces a mock for the rather complex implementation of XSSFilter instead. WDYT? > Improve MockXSSAPIImpl > -- > > Key: SLING-10391 > URL: https://issues.apache.org/jira/browse/SLING-10391 > Project: Sling > Issue Type: Bug > Components: Testing >Affects Versions: Testing Sling Mock 3.0.2 >Reporter: Henry Kuijpers >Priority: Major > > MockXSSAPIImpl only has a few very simplistic method implementations (i.e. > for encodeForHTML it returns the input as-is). > I think we can make some improvements to it, by: > * Use StringEscapeUtils.escapeHtml4() to do HTML escaping (so that we can at > least see a difference in the output) > * Use StringEscapeUtils.escapeXml() to do XML escaping > etc. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-10391) Improve MockXSSAPIImpl
[ https://issues.apache.org/jira/browse/SLING-10391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17743173#comment-17743173 ] Henry Kuijpers commented on SLING-10391: Yes [~robin.bro...@amplexor.com] > Improve MockXSSAPIImpl > -- > > Key: SLING-10391 > URL: https://issues.apache.org/jira/browse/SLING-10391 > Project: Sling > Issue Type: Bug > Components: Testing >Affects Versions: Testing Sling Mock 3.0.2 >Reporter: Henry Kuijpers >Priority: Major > > MockXSSAPIImpl only has a few very simplistic method implementations (i.e. > for encodeForHTML it returns the input as-is). > I think we can make some improvements to it, by: > * Use StringEscapeUtils.escapeHtml4() to do HTML escaping (so that we can at > least see a difference in the output) > * Use StringEscapeUtils.escapeXml() to do XML escaping > etc. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-10391) Improve MockXSSAPIImpl
[ https://issues.apache.org/jira/browse/SLING-10391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17743170#comment-17743170 ] Robin Brouns commented on SLING-10391: -- PR: https://github.com/apache/sling-org-apache-sling-testing-sling-mock/pull/24 > Improve MockXSSAPIImpl > -- > > Key: SLING-10391 > URL: https://issues.apache.org/jira/browse/SLING-10391 > Project: Sling > Issue Type: Bug > Components: Testing >Affects Versions: Testing Sling Mock 3.0.2 >Reporter: Henry Kuijpers >Priority: Major > > MockXSSAPIImpl only has a few very simplistic method implementations (i.e. > for encodeForHTML it returns the input as-is). > I think we can make some improvements to it, by: > * Use StringEscapeUtils.escapeHtml4() to do HTML escaping (so that we can at > least see a difference in the output) > * Use StringEscapeUtils.escapeXml() to do XML escaping > etc. -- This message was sent by Atlassian Jira (v8.20.10#820010)
