[ https://issues.apache.org/jira/browse/SLING-6866?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Radu Cotescu updated SLING-6866: -------------------------------- Fix Version/s: (was: Scripting HTL Compiler 1.0.0) (was: Scripting HTL Engine 1.0.20) Scripting HTL Compiler 1.0.10 > HTL doesn't allow to overwrite the context for data-sly-text > ------------------------------------------------------------ > > Key: SLING-6866 > URL: https://issues.apache.org/jira/browse/SLING-6866 > Project: Sling > Issue Type: Bug > Components: Scripting > Affects Versions: Scripting HTL Compiler 1.0.0 > Reporter: Konrad Windszus > Assignee: Radu Cotescu > Fix For: Scripting HTL Compiler 1.0.10 > > > For the following Sightly script > {code} > <a data-sly-element="${'invalidelement' @ context='unsafe'}"></a> > {code} > the generated Servlet looks like this > {code} > Object var_tagvar0 = renderContext.call("xss", renderContext.call("xss", > "invalidelement", "unsafe"), "elementName"); > if (RenderUtils.toBoolean(var_tagvar0)) { > out.write("<"); > out.write(RenderUtils.toString(var_tagvar0)); > } > if (!RenderUtils.toBoolean(var_tagvar0)) { > out.write("<a"); > } > out.write(">"); > if (RenderUtils.toBoolean(var_tagvar0)) { > out.write("</"); > out.write(RenderUtils.toString(var_tagvar0)); > out.write(">"); > } > if (!RenderUtils.toBoolean(var_tagvar0)) { > out.write("</a>"); > } > {code} > So the element name is XSS protected twice. First with 'unsafe' (which > doesn't modify the given literal) and then with 'elementname', which removes > the literal. > Therefore the generated HTML from the servlet is {{<a></a>}} instead of > {{<invalidelement></invalidelement>}} > This contradicts the documentation at > https://docs.adobe.com/docs/en/htl/docs/block-statements.html#element which > says > {quote} > For security reasons, data-sly-element accepts only the following element > names: > a abbr address article aside b bdi bdo blockquote br caption cite code col > colgroup > data dd del dfn div dl dt em figcaption figure footer h1 h2 h3 h4 h5 h6 > header i ins > kbd li main mark nav ol p pre q rp rt ruby s samp section small span strong > sub > sup table tbody td tfoot th thead time tr u var wbr > To set other elements, XSS security must be turned off (@context='unsafe'). > {quote} > The HTL spec only says > {quote} > The element name is automatically XSS-protected with the elementName context, > which by the way doesn't allow elements like <script>, <style>, <form>, or > <input> (see the Display Context section for the exact list). > {quote} > (https://github.com/Adobe-Marketing-Cloud/htl-spec/blob/master/SPECIFICATION.md#224-element). > I am wondering, if it really is just impossible to give out arbitrary tag > names with {{data-sly-element}}. > IMHO if another context is given, that one should replace the "elementName" > context, instead of being added on top. -- This message was sent by Atlassian JIRA (v6.3.15#6346)