[
https://issues.apache.org/jira/browse/SLING-12744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17942378#comment-17942378
]
Robert Munteanu commented on SLING-12744:
-----------------------------------------
Thanks for the report [~abangroo]. Can you please explain steps to reproduce in
a way that works with Sling? You have instructions for getting started at
https://sling.apache.org/documentation/getting-started.html
> Sling XSS is stripping away international telephone prefix ( +tel )
> -------------------------------------------------------------------
>
> Key: SLING-12744
> URL: https://issues.apache.org/jira/browse/SLING-12744
> Project: Sling
> Issue Type: Bug
> Components: XSS Protection API
> Affects Versions: XSS Protection API 2.4.6
> Reporter: Ankush Bangroo
> Priority: Major
>
> Sling XSS is stripping away international telephone prefix ( +tel )
>
> Defined a regular expression here
>
> {code:java}
> <regexp name="telURL" value="tel:[\+0-9]+"/> {code}
>
> Added the regex:
>
>
> {noformat}
> <attribute name="href"> <regexp-list> <regexp name="onsiteURL"/> <regexp
> name="offsiteURL"/> <regexp name="expressionURL"/> <regexp name="telURL"/>
> </regexp-list> </attribute>{noformat}
>
> We can reproduce by having a text component and following these steps
> * Add the number
> * Do Save
> ** Check the POST Call
> ** Check JCR
> * Reopen the RTE
> ** Refresh the page, validate what is loaded
> ** Open the Dialog, check what is present in the JSON
> * Save again the RTE
> ** Check the POST call
> ** Check JCR
> The POST call strips away the telephone link
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
