[SLING-8851] Skip namespace mangling - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: XSS Protection API 2.1.18
Component/s: XSS Protection API
Labels:
None

Description

Historically, Sling needed to escape JCR namespaces from URL paths, since the ":" character posed a problem for older browsers. However, RFC 3986 [0] allows the colon in path segments and all current browsers don't have an issue with this for years.

The XSSAPI implementation currently present in Sling attempts to mangle JCR namespaces, but without any knowledge of the actual registered namespaces. Given that colon is not really a problem any more and that resource paths should anyways be passed through the org.apache.sling.api.resource.ResourceResolver#map(java.lang.String) API before being exposed as URLs, the code that attempts to perform mangling in the XSSAPI#getValidHref implementation should be removed.

For more details consult the dev list [1].

[0] - https://tools.ietf.org/html/rfc3986
[1] - https://s.apache.org/4ga5i

Attachments

Activity

People

Assignee:: Radu Cotescu

Reporter:: Radu Cotescu

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 20/Nov/19 09:15

Updated:: 06/Dec/19 12:06

Resolved:: 20/Nov/19 13:13