[ https://issues.apache.org/jira/browse/SLING-11326?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Munteanu resolved SLING-11326. ------------------------------------- Resolution: Fixed Fixed in https://github.com/apache/sling-org-apache-sling-xss/pull/23 . > Deprecate processing of embedded style sheets > --------------------------------------------- > > Key: SLING-11326 > URL: https://issues.apache.org/jira/browse/SLING-11326 > Project: Sling > Issue Type: Improvement > Components: XSS Protection API > Reporter: Robert Munteanu > Assignee: Robert Munteanu > Priority: Major > Fix For: XSS Protection API 2.2.20 > > Time Spent: 0.5h > Remaining Estimate: 0h > > When validating HTML, external stylesheets embedded in style tags are > loaded and inlined. For example, validating > --- > <h1>Hello, world</h1> > <style type="text/css"> > h1 { color: red } > @import "https://example.com/my-awesome-input.css" > </style> > --- > Will access https://example.com/my-awesome-input.css, inline it in the > style tag, and validate it. > This functionality is disabled in the default configuration we ship > with Sling. I think this can have a stability and performance impact > when enabled and therefore I propose that we stop supporting it in the > future. > See also https://lists.apache.org/thread/l1yfmc6jkd9gx5bmx509dy25dc6o434m -- This message was sent by Atlassian Jira (v8.20.7#820007)