Skip to content

apache/sling-org-apache-sling-xss

BranchesTags

Repository files navigation

Apache Sling

Build Status Test Status Coverage Sonarcloud Status JavaDoc Maven Central License

Apache Sling XSS Protection

This module is part of the Apache Sling project.

The Apache Sling XSS Bundle provides two services for escaping and filtering XSS-prone user submitted content:

  1. org.apache.sling.xss.XSSAPI
  2. org.apache.sling.xss.XSSFilter

See the JavaDoc of each service for the complete API surface.

Runtime and implementation notes

  • Requires Java 11+ (the project is also built in CI with newer JDKs, including Java 25).
  • Uses OSGi R7 Declarative Services.
  • Uses OWASP Java Encoder and a custom AntiSamy XML policy parser.
  • Uses owasp-java-html-sanitizer for HTML sanitization.
  • Embeds ESAPI, Batik CSS, and HTML sanitizer packages as private bundle packages to avoid OSGi import conflicts.
  • Includes optional invalid-href metrics integration via Sling Commons Metrics.
  • Excludes legacy/conflicting transitive logging dependencies such as commons-logging and does not depend on Log4j 1.x.

Build and test

# Build and package (skip tests)
mvn clean package -DskipTests

# Full build with tests
mvn clean verify

# Run all tests
mvn test

# Run a single test class
mvn test -Dtest=XSSAPIImplTest

# Run a single test method
mvn test -Dtest=XSSAPIImplTest#testGetValidHref

# Run policy parser / sanitizer regression tests
mvn test -Dtest=AntiSamyPolicyWithAdditionalGlobalAndDynamicConditionsTest

# Check / apply formatting
mvn spotless:check
mvn spotless:apply

# OSGi baseline check
mvn verify -Pbaseline

# Generate coverage report
mvn verify jacoco:report

Repository layout

src/
  main/
    appended-resources/
      META-INF/
    java/
      org/apache/sling/xss/          # Public API
      org/apache/sling/xss/impl/     # OSGi service implementations
      org/apache/sling/xss/impl/xml/ # AntiSamy XML policy parser
      org/apache/sling/xss/impl/style/      # CSS validation via Batik
      org/apache/sling/xss/impl/status/     # Runtime status service
      org/apache/sling/xss/impl/webconsole/ # Web console plugin
      org/owasp/html/                # Sanitizer extensions
    resources/
      ESAPI.properties
      validation.properties
      SLING-INF/
      webconsole/
  test/
    java/
      org/apache/sling/xss/impl/     # XSS API/filter/sanitizer tests
      org/apache/sling/xss/impl/xml/ # XML policy parser tests
    resources/                       # AntiSamy XML fixtures and test logging config

About

Apache Sling XSS Protection

sling.apache.org/

Topics

java sling

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

11 stars

Watchers

27 watching

Forks

20 forks
Report repository

Releases

48 tags

Packages

 
 
 

Contributors

Languages