Google Git
Sign in
apache/sling-org-apache-sling-xss

Apache Sling XSS Protection

Mirrored from https://github.com/apache/sling-org-apache-sling-xss.git
Clone this repo:

Branches

Tags

More...
  1. 48b522a fix(webconsole): escape consoleRoot to prevent XSS in web console plugin (#65) by Carsten Ziegeler · 2 weeks ago master
  2. c5f91d2 Add security section to AGENTS.md by Robert Munteanu · 2 weeks ago
  3. 2630ff0 docs: update AGENTS.md and README.md with new features and structure (#67) by Carsten Ziegeler · 2 weeks ago
  4. f79664a docs: add AGENTS.md and expand README with build and layout details (#66) by Carsten Ziegeler · 2 weeks ago
  5. 68476f4 Merge pull request #63 from apache/maia/workflow-1779889602077 by Carsten Ziegeler · 3 weeks ago

Apache Sling

Build Status Test Status Coverage Sonarcloud Status JavaDoc Maven Central License

Apache Sling XSS Protection

This module is part of the Apache Sling project.

The Apache Sling XSS Bundle provides two services for escaping and filtering XSS-prone user submitted content:

  1. org.apache.sling.xss.XSSAPI
  2. org.apache.sling.xss.XSSFilter

See the JavaDoc of each service for the complete API surface.

Runtime and implementation notes

  • Requires Java 11+ (the project is also built in CI with newer JDKs, including Java 25).
  • Uses OSGi R7 Declarative Services.
  • Uses OWASP Java Encoder and a custom AntiSamy XML policy parser.
  • Uses owasp-java-html-sanitizer for HTML sanitization.
  • Embeds ESAPI, Batik CSS, and HTML sanitizer packages as private bundle packages to avoid OSGi import conflicts.
  • Includes optional invalid-href metrics integration via Sling Commons Metrics.
  • Excludes legacy/conflicting transitive logging dependencies such as commons-logging and does not depend on Log4j 1.x.

Build and test

# Build and package (skip tests)
mvn clean package -DskipTests

# Full build with tests
mvn clean verify

# Run all tests
mvn test

# Run a single test class
mvn test -Dtest=XSSAPIImplTest

# Run a single test method
mvn test -Dtest=XSSAPIImplTest#testGetValidHref

# Run policy parser / sanitizer regression tests
mvn test -Dtest=AntiSamyPolicyWithAdditionalGlobalAndDynamicConditionsTest

# Check / apply formatting
mvn spotless:check
mvn spotless:apply

# OSGi baseline check
mvn verify -Pbaseline

# Generate coverage report
mvn verify jacoco:report

Repository layout

src/
  main/
    appended-resources/
      META-INF/
    java/
      org/apache/sling/xss/          # Public API
      org/apache/sling/xss/impl/     # OSGi service implementations
      org/apache/sling/xss/impl/xml/ # AntiSamy XML policy parser
      org/apache/sling/xss/impl/style/      # CSS validation via Batik
      org/apache/sling/xss/impl/status/     # Runtime status service
      org/apache/sling/xss/impl/webconsole/ # Web console plugin
      org/owasp/html/                # Sanitizer extensions
    resources/
      ESAPI.properties
      validation.properties
      SLING-INF/
      webconsole/
  test/
    java/
      org/apache/sling/xss/impl/     # XSS API/filter/sanitizer tests
      org/apache/sling/xss/impl/xml/ # XML policy parser tests
    resources/                       # AntiSamy XML fixtures and test logging config