in src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java [235:259]
private boolean runHrefValidation(@NotNull String url) {
// Same logic as in org.owasp.validator.html.scan.MagicSAXFilter.startElement()
String urlLowerCase = url.toLowerCase();
boolean isValid = hrefAttribute.containsAllowedValue(urlLowerCase);
if (!isValid) {
try {
isValid = hrefAttribute.matchesAllowedExpression(urlLowerCase);
} catch (StackOverflowError e) {
logger.debug("Detected a StackOverflowError when validating url {} with configured regexes. Trying fallback.", url);
try {
isValid = FALLBACK_HREF_ATTRIBUTE.containsAllowedValue(urlLowerCase);
if (!isValid) {
isValid = FALLBACK_HREF_ATTRIBUTE.matchesAllowedExpression(urlLowerCase);
}
} catch (StackOverflowError inner) {
logger.debug("Detected a StackOverflowError when validating url {} with fallback regexes", url);
}
}
}
if (!isValid) {
statusService.reportInvalidUrl(url);
invalidHrefs.increment();
}
return isValid;
}