[
https://issues.apache.org/jira/browse/SLING-6866?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Radu Cotescu updated SLING-6866:
--------------------------------
Description:
When using the following expression
{code:html}
<div data-sly-text=${properties.desc @ context='html'}></div>
{code}
the output is escaped.
was:
For the following Sightly script
{code}
<a data-sly-element="${'invalidelement' @ context='unsafe'}"></a>
{code}
the generated Servlet looks like this
{code}
Object var_tagvar0 = renderContext.call("xss", renderContext.call("xss",
"invalidelement", "unsafe"), "elementName");
if (RenderUtils.toBoolean(var_tagvar0)) {
out.write("<");
out.write(RenderUtils.toString(var_tagvar0));
}
if (!RenderUtils.toBoolean(var_tagvar0)) {
out.write("<a");
}
out.write(">");
if (RenderUtils.toBoolean(var_tagvar0)) {
out.write("</");
out.write(RenderUtils.toString(var_tagvar0));
out.write(">");
}
if (!RenderUtils.toBoolean(var_tagvar0)) {
out.write("</a>");
}
{code}
So the element name is XSS protected twice. First with 'unsafe' (which doesn't
modify the given literal) and then with 'elementname', which removes the
literal.
Therefore the generated HTML from the servlet is {{<a></a>}} instead of
{{<invalidelement></invalidelement>}}
This contradicts the documentation at
https://docs.adobe.com/docs/en/htl/docs/block-statements.html#element which says
{quote}
For security reasons, data-sly-element accepts only the following element names:
a abbr address article aside b bdi bdo blockquote br caption cite code col
colgroup
data dd del dfn div dl dt em figcaption figure footer h1 h2 h3 h4 h5 h6 header
i ins
kbd li main mark nav ol p pre q rp rt ruby s samp section small span strong sub
sup table tbody td tfoot th thead time tr u var wbr
To set other elements, XSS security must be turned off (@context='unsafe').
{quote}
The HTL spec only says
{quote}
The element name is automatically XSS-protected with the elementName context,
which by the way doesn't allow elements like <script>, <style>, <form>, or
<input> (see the Display Context section for the exact list).
{quote}
(https://github.com/Adobe-Marketing-Cloud/htl-spec/blob/master/SPECIFICATION.md#224-element).
I am wondering, if it really is just impossible to give out arbitrary tag names
with {{data-sly-element}}.
IMHO if another context is given, that one should replace the "elementName"
context, instead of being added on top.
> HTL doesn't allow to overwrite the context for data-sly-text
> ------------------------------------------------------------
>
> Key: SLING-6866
> URL: https://issues.apache.org/jira/browse/SLING-6866
> Project: Sling
> Issue Type: Bug
> Components: Scripting
> Affects Versions: Scripting HTL Compiler 1.0.0
> Reporter: Konrad Windszus
> Assignee: Radu Cotescu
> Fix For: Scripting HTL Compiler 1.0.10
>
>
> When using the following expression
> {code:html}
> <div data-sly-text=${properties.desc @ context='html'}></div>
> {code}
> the output is escaped.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
