Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-9694

XSSAPIImpl#getValidHref does not escape the ampersand character

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Won't Fix
    • XSS Protection API 1.0.0, XSS Protection API 2.0.0, XSS Protection API 2.1.0, XSS Protection API 2.2.0, XSS Protection API Compat 1.1.0
    • None
    • XSS Protection API
    • None

    Description

      XSSAPIImpl#getValidHref does not escape the ampersand character, although the API's JavaDoc states that the method should "Sanitize a URL for writing as an HTML href or src attribute value".

      Attachments

        Issue Links

          fixes

          New Feature - A new feature of the product, which has yet to be developed. SLING-9011 HTL: "automatic" context=uri on href/src seems to be wrong - Should be uri *and* html

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              radu Radu Cotescu
              radu Radu Cotescu
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: