[jira] [Commented] (SLING-7231) Move to owasp sanitizer library
[ https://issues.apache.org/jira/browse/SLING-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17563741#comment-17563741 ] Tatyana Vogel commented on SLING-7231: -- I moved from the "antisamy" to the "java HTML sanitizer" -library. There is a draft pull request: https://github.com/apache/sling-org-apache-sling-xss/pull/28 > Move to owasp sanitizer library > --- > > Key: SLING-7231 > URL: https://issues.apache.org/jira/browse/SLING-7231 > Project: Sling > Issue Type: Improvement > Components: XSS Protection API >Reporter: Carsten Ziegeler >Assignee: Tatyana Vogel >Priority: Critical > Labels: gsoc2018, java, mentor > Time Spent: 4h > Remaining Estimate: 0h > > While looking at the extensive dependency list of the XSS module (which are > all caused by the embedded owasp.org artifacts), I found out that the > versions we use are outdated. > So I think we should update those to the latest. > Furthermore, the embedded antisamy library does not look to be maintained > anymore > (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) > instead the html sanitizer looks much fresher and claims to be faster > https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project > I think we should switch. Quick analysis: > Pros: > Actively maintained > Much faster > Lightweight (also from a dependency POV) > Cons: > Incompatible (and runtime-object based) configuration > Not completely feature equivalent (but close enough and better in some > aspects) > Some investigation is needed on how > a) filter rules can be configured (e.g. sling configurations, file based, > code bundle, ... ?) > b) existing configurations can be migrated -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (SLING-7231) Move to owasp sanitizer library
[ https://issues.apache.org/jira/browse/SLING-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17538919#comment-17538919 ] Robert Munteanu commented on SLING-7231: I added some tests to validate CSS filtering in https://github.com/apache/sling-org-apache-sling-xss/pull/21 . > Move to owasp sanitizer library > --- > > Key: SLING-7231 > URL: https://issues.apache.org/jira/browse/SLING-7231 > Project: Sling > Issue Type: Improvement > Components: XSS Protection API >Reporter: Carsten Ziegeler >Assignee: Tatyana Vogel >Priority: Critical > Labels: gsoc2018, java, mentor > Time Spent: 10m > Remaining Estimate: 0h > > While looking at the extensive dependency list of the XSS module (which are > all caused by the embedded owasp.org artifacts), I found out that the > versions we use are outdated. > So I think we should update those to the latest. > Furthermore, the embedded antisamy library does not look to be maintained > anymore > (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) > instead the html sanitizer looks much fresher and claims to be faster > https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project > I think we should switch. Quick analysis: > Pros: > Actively maintained > Much faster > Lightweight (also from a dependency POV) > Cons: > Incompatible (and runtime-object based) configuration > Not completely feature equivalent (but close enough and better in some > aspects) > Some investigation is needed on how > a) filter rules can be configured (e.g. sling configurations, file based, > code bundle, ... ?) > b) existing configurations can be migrated -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (SLING-7231) Move to owasp sanitizer library
[
https://issues.apache.org/jira/browse/SLING-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17447447#comment-17447447
]
Bertrand Delacretaz commented on SLING-7231:
Looking at the test coverage (build with {{-P jacoco-report}} and look at
{{target/site/jacoco-merged/index.html}} it seems like some of the
{{org.apache.sling.xss.impl}} code is not tested, especially the
{{XSSFilterImpl}} where the {{check}} method and a number of error cases are
not tested.
I think at least the {{check}} method, being part of the public API, deserves
to have tests added before making extensive changes to this module. The error
cases might not be relevant anymore depending on how much the implementation
changes.
> Move to owasp sanitizer library
> ---
>
> Key: SLING-7231
> URL: https://issues.apache.org/jira/browse/SLING-7231
> Project: Sling
> Issue Type: Improvement
> Components: XSS Protection API
>Reporter: Carsten Ziegeler
>Assignee: Tatyana
>Priority: Critical
> Labels: gsoc2018, java, mentor
>
> While looking at the extensive dependency list of the XSS module (which are
> all caused by the embedded owasp.org artifacts), I found out that the
> versions we use are outdated.
> So I think we should update those to the latest.
> Furthermore, the embedded antisamy library does not look to be maintained
> anymore
> (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project)
> instead the html sanitizer looks much fresher and claims to be faster
> https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
> I think we should switch. Quick analysis:
> Pros:
> Actively maintained
> Much faster
> Lightweight (also from a dependency POV)
> Cons:
> Incompatible (and runtime-object based) configuration
> Not completely feature equivalent (but close enough and better in some
> aspects)
> Some investigation is needed on how
> a) filter rules can be configured (e.g. sling configurations, file based,
> code bundle, ... ?)
> b) existing configurations can be migrated
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (SLING-7231) Move to owasp sanitizer library
[
https://issues.apache.org/jira/browse/SLING-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17447440#comment-17447440
]
Radu Cotescu commented on SLING-7231:
-
[~tvogel], the goal would be to completely replace replace at least AntiSamy
(and its dependencies) with the HTML Sanitizer. If you can replace the other
two as well, while still offering a meaningful implementation for the two APIs
this bundle provides, namely {{org.apache.sling.xss.XSSAPI}} and
{{{}org.apache.sling.xss.XSSFilter{}}}, then it's obviously a bigger win.
Another thing to keep in mind is trying to find a way to import AntiSamy
configurations (you have an example in the bundle itself), but apply them to
the HTML Sanitizer.
The {{xml-apis}} and {{xalan}} are only needed for AntiSamy. Parsing the
AntiSamy config file shouldn't necessarily require these two.
> Move to owasp sanitizer library
> ---
>
> Key: SLING-7231
> URL: https://issues.apache.org/jira/browse/SLING-7231
> Project: Sling
> Issue Type: Improvement
> Components: XSS Protection API
>Reporter: Carsten Ziegeler
>Assignee: Tatyana
>Priority: Critical
> Labels: gsoc2018, java, mentor
>
> While looking at the extensive dependency list of the XSS module (which are
> all caused by the embedded owasp.org artifacts), I found out that the
> versions we use are outdated.
> So I think we should update those to the latest.
> Furthermore, the embedded antisamy library does not look to be maintained
> anymore
> (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project)
> instead the html sanitizer looks much fresher and claims to be faster
> https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
> I think we should switch. Quick analysis:
> Pros:
> Actively maintained
> Much faster
> Lightweight (also from a dependency POV)
> Cons:
> Incompatible (and runtime-object based) configuration
> Not completely feature equivalent (but close enough and better in some
> aspects)
> Some investigation is needed on how
> a) filter rules can be configured (e.g. sling configurations, file based,
> code bundle, ... ?)
> b) existing configurations can be migrated
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (SLING-7231) Move to owasp sanitizer library
[ https://issues.apache.org/jira/browse/SLING-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17447255#comment-17447255 ] Tatyana commented on SLING-7231: Hi [~cziegeler] and [~radu] 1. Am I supposed to change all the owasp-dependencies, like "org.owasp.encoder", "org.owasp.antisamy" or "org.owasp.esapi". And replace them by the "owasp-java-html-sanitizer"? Or should I only replace the "owasp-java-html-sanitizer" with it? 2. Should I keep the dependencies: - xml-apis - xalan ? > Move to owasp sanitizer library > --- > > Key: SLING-7231 > URL: https://issues.apache.org/jira/browse/SLING-7231 > Project: Sling > Issue Type: Improvement > Components: XSS Protection API >Reporter: Carsten Ziegeler >Assignee: Tatyana >Priority: Critical > Labels: gsoc2018, java, mentor > > While looking at the extensive dependency list of the XSS module (which are > all caused by the embedded owasp.org artifacts), I found out that the > versions we use are outdated. > So I think we should update those to the latest. > Furthermore, the embedded antisamy library does not look to be maintained > anymore > (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) > instead the html sanitizer looks much fresher and claims to be faster > https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project > I think we should switch. Quick analysis: > Pros: > Actively maintained > Much faster > Lightweight (also from a dependency POV) > Cons: > Incompatible (and runtime-object based) configuration > Not completely feature equivalent (but close enough and better in some > aspects) > Some investigation is needed on how > a) filter rules can be configured (e.g. sling configurations, file based, > code bundle, ... ?) > b) existing configurations can be migrated -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (SLING-7231) Move to owasp sanitizer library
[ https://issues.apache.org/jira/browse/SLING-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17446458#comment-17446458 ] Robert Munteanu commented on SLING-7231: Thanks for the heads-up [~tvogel] - I've assigned this to you. Let us know here or on dev@sling.apache.org if you have questions. > Move to owasp sanitizer library > --- > > Key: SLING-7231 > URL: https://issues.apache.org/jira/browse/SLING-7231 > Project: Sling > Issue Type: Improvement > Components: XSS Protection API >Reporter: Carsten Ziegeler >Assignee: Tatyana >Priority: Critical > Labels: gsoc2018, java, mentor > > While looking at the extensive dependency list of the XSS module (which are > all caused by the embedded owasp.org artifacts), I found out that the > versions we use are outdated. > So I think we should update those to the latest. > Furthermore, the embedded antisamy library does not look to be maintained > anymore > (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) > instead the html sanitizer looks much fresher and claims to be faster > https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project > I think we should switch. Quick analysis: > Pros: > Actively maintained > Much faster > Lightweight (also from a dependency POV) > Cons: > Incompatible (and runtime-object based) configuration > Not completely feature equivalent (but close enough and better in some > aspects) > Some investigation is needed on how > a) filter rules can be configured (e.g. sling configurations, file based, > code bundle, ... ?) > b) existing configurations can be migrated -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (SLING-7231) Move to owasp sanitizer library
[ https://issues.apache.org/jira/browse/SLING-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17446449#comment-17446449 ] Tatyana commented on SLING-7231: I will start to look into this issue. > Move to owasp sanitizer library > --- > > Key: SLING-7231 > URL: https://issues.apache.org/jira/browse/SLING-7231 > Project: Sling > Issue Type: Improvement > Components: XSS Protection API >Reporter: Carsten Ziegeler >Priority: Critical > Labels: gsoc2018, java, mentor > > While looking at the extensive dependency list of the XSS module (which are > all caused by the embedded owasp.org artifacts), I found out that the > versions we use are outdated. > So I think we should update those to the latest. > Furthermore, the embedded antisamy library does not look to be maintained > anymore > (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) > instead the html sanitizer looks much fresher and claims to be faster > https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project > I think we should switch. Quick analysis: > Pros: > Actively maintained > Much faster > Lightweight (also from a dependency POV) > Cons: > Incompatible (and runtime-object based) configuration > Not completely feature equivalent (but close enough and better in some > aspects) > Some investigation is needed on how > a) filter rules can be configured (e.g. sling configurations, file based, > code bundle, ... ?) > b) existing configurations can be migrated -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (SLING-7231) Move to owasp sanitizer library
[ https://issues.apache.org/jira/browse/SLING-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16726015#comment-16726015 ] Konrad Windszus commented on SLING-7231: Good timing: Someone contributed a PR for reading AntiSamy XMLs with HTML Sanitizer at https://github.com/OWASP/java-html-sanitizer/pull/161/. > Move to owasp sanitizer library > --- > > Key: SLING-7231 > URL: https://issues.apache.org/jira/browse/SLING-7231 > Project: Sling > Issue Type: Improvement > Components: XSS Protection API >Reporter: Carsten Ziegeler >Assignee: Radu Cotescu >Priority: Critical > Labels: gsoc2018, java, mentor > Fix For: XSS Protection API 2.1.0 > > > While looking at the extensive dependency list of the XSS module (which are > all caused by the embedded owasp.org artifacts), I found out that the > versions we use are outdated. > So I think we should update those to the latest. > Furthermore, the embedded antisamy library does not look to be maintained > anymore > (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) > instead the html sanitizer looks much fresher and claims to be faster > https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project > I think we should switch. Quick analysis: > Pros: > Actively maintained > Much faster > Lightweight (also from a dependency POV) > Cons: > Incompatible (and runtime-object based) configuration > Not completely feature equivalent (but close enough and better in some > aspects) > Some investigation is needed on how > a) filter rules can be configured (e.g. sling configurations, file based, > code bundle, ... ?) > b) existing configurations can be migrated -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SLING-7231) Move to owasp sanitizer library
[ https://issues.apache.org/jira/browse/SLING-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16720302#comment-16720302 ] Konrad Windszus commented on SLING-7231: In case we would write a PolicyFactory based on AntiSamy XSD this should rather be contributed to https://github.com/OWASP/java-html-sanitizer as this XML is not Sling-specific! > Move to owasp sanitizer library > --- > > Key: SLING-7231 > URL: https://issues.apache.org/jira/browse/SLING-7231 > Project: Sling > Issue Type: Improvement > Components: XSS Protection API >Reporter: Carsten Ziegeler >Assignee: Radu Cotescu >Priority: Critical > Labels: gsoc2018, java, mentor > Fix For: XSS Protection API 2.1.0 > > > While looking at the extensive dependency list of the XSS module (which are > all caused by the embedded owasp.org artifacts), I found out that the > versions we use are outdated. > So I think we should update those to the latest. > Furthermore, the embedded antisamy library does not look to be maintained > anymore > (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) > instead the html sanitizer looks much fresher and claims to be faster > https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project > I think we should switch. Quick analysis: > Pros: > Actively maintained > Much faster > Lightweight (also from a dependency POV) > Cons: > Incompatible (and runtime-object based) configuration > Not completely feature equivalent (but close enough and better in some > aspects) > Some investigation is needed on how > a) filter rules can be configured (e.g. sling configurations, file based, > code bundle, ... ?) > b) existing configurations can be migrated -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SLING-7231) Move to owasp sanitizer library
[
https://issues.apache.org/jira/browse/SLING-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16720297#comment-16720297
]
Konrad Windszus commented on SLING-7231:
AFAIK we currently only use the HTML filtering part of AntiSamy, not the CSS
filtering part.
The translation from an AntiSamy XML to a {{HtmlSanitizer.Policy}} is probably
quite complex and would not be 100% complete (for details refer to the AntiSamy
XSD in
https://github.com/andresriancho/owaspantisamy/blob/master/Java/antisamy/src/main/resources/antisamy.xsd).
Is backwards compatibility really necessary here or should we rather come up
with a more simplified configuration (maybe even based on an OSGi metatype)?
IMHO this configuration was never documented on Sling side (but it is mentioned
at
https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/security.html).
> Move to owasp sanitizer library
> ---
>
> Key: SLING-7231
> URL: https://issues.apache.org/jira/browse/SLING-7231
> Project: Sling
> Issue Type: Improvement
> Components: XSS Protection API
>Reporter: Carsten Ziegeler
>Assignee: Radu Cotescu
>Priority: Critical
> Labels: gsoc2018, java, mentor
> Fix For: XSS Protection API 2.1.0
>
>
> While looking at the extensive dependency list of the XSS module (which are
> all caused by the embedded owasp.org artifacts), I found out that the
> versions we use are outdated.
> So I think we should update those to the latest.
> Furthermore, the embedded antisamy library does not look to be maintained
> anymore
> (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project)
> instead the html sanitizer looks much fresher and claims to be faster
> https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
> I think we should switch. Quick analysis:
> Pros:
> Actively maintained
> Much faster
> Lightweight (also from a dependency POV)
> Cons:
> Incompatible (and runtime-object based) configuration
> Not completely feature equivalent (but close enough and better in some
> aspects)
> Some investigation is needed on how
> a) filter rules can be configured (e.g. sling configurations, file based,
> code bundle, ... ?)
> b) existing configurations can be migrated
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (SLING-7231) Move to owasp sanitizer library
[ https://issues.apache.org/jira/browse/SLING-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16395019#comment-16395019 ] Radu Cotescu commented on SLING-7231: - Hello [~Gimo], Apache Sling has a XSS protection library [0], however it's using OWASP's AntiSamy module for filtering HTML. The goal of this issue would be to transition the module to use the OWASP HTML Sanitizer Project [1]. However, there should be a bridge between these two dependencies, in the sense that the Apache Sling XSS Protection API module should still be able to read AntiSamy configurations, but apply them to [1], so that customers can upgrade the Apache Sling XSS Protection API module in-place, without the need of migrating configurations to a new format. You should be familiar with Java, Maven and Git. XSS mitigation knowledge is recommended. [0] - https://github.com/apache/sling-org-apache-sling-xss/ [1] - https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project > Move to owasp sanitizer library > --- > > Key: SLING-7231 > URL: https://issues.apache.org/jira/browse/SLING-7231 > Project: Sling > Issue Type: Improvement > Components: XSS Protection API >Reporter: Carsten Ziegeler >Priority: Critical > Labels: gsoc2018, java > Fix For: XSS Protection API 2.1.0 > > > While looking at the extensive dependency list of the XSS module (which are > all caused by the embedded owasp.org artifacts), I found out that the > versions we use are outdated. > So I think we should update those to the latest. > Furthermore, the embedded antisamy library does not look to be maintained > anymore > (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) > instead the html sanitizer looks much fresher and claims to be faster > https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project > I think we should switch. Quick analysis: > Pros: > Actively maintained > Much faster > Lightweight (also from a dependency POV) > Cons: > Incompatible (and runtime-object based) configuration > Not completely feature equivalent (but close enough and better in some > aspects) > Some investigation is needed on how > a) filter rules can be configured (e.g. sling configurations, file based, > code bundle, ... ?) > b) existing configurations can be migrated -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SLING-7231) Move to owasp sanitizer library
[ https://issues.apache.org/jira/browse/SLING-7231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16394298#comment-16394298 ] Gimo commented on SLING-7231: - Hi, I am a Computer Science and Engineering Undergraduate of University of Moratuwa I would like to work on this issue as my GSOC 2018 project. Would you please help me to understand the scope of this. Best Regards, > Move to owasp sanitizer library > --- > > Key: SLING-7231 > URL: https://issues.apache.org/jira/browse/SLING-7231 > Project: Sling > Issue Type: Improvement > Components: XSS Protection API >Reporter: Carsten Ziegeler >Priority: Critical > Labels: gsoc2018 > Fix For: XSS Protection API 2.1.0 > > > While looking at the extensive dependency list of the XSS module (which are > all caused by the embedded owasp.org artifacts), I found out that the > versions we use are outdated. > So I think we should update those to the latest. > Furthermore, the embedded antisamy library does not look to be maintained > anymore > (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) > instead the html sanitizer looks much fresher and claims to be faster > https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project > I think we should switch. Quick analysis: > Pros: > Actively maintained > Much faster > Lightweight (also from a dependency POV) > Cons: > Incompatible (and runtime-object based) configuration > Not completely feature equivalent (but close enough and better in some > aspects) > Some investigation is needed on how > a) filter rules can be configured (e.g. sling configurations, file based, > code bundle, ... ?) > b) existing configurations can be migrated -- This message was sent by Atlassian JIRA (v7.6.3#76005)
