[ https://issues.apache.org/jira/browse/SLING-4177?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger reassigned SLING-4177: ---------------------------------------- Assignee: Felix Meschberger > Sightly: StyleString context doesn't properly escape > ---------------------------------------------------- > > Key: SLING-4177 > URL: https://issues.apache.org/jira/browse/SLING-4177 > Project: Sling > Issue Type: Bug > Components: Scripting > Reporter: Vlad Bailescu > Assignee: Felix Meschberger > Priority: Minor > Labels: Sightly > Fix For: XSS Protection API 1.0.0, Scripting Sightly Engine 1.0.0 > > > The {{context='styleString'}} expression option seems to escape strings the > same way as {{context='scriptString'}}, but this breaks the string, making > that context unusable. CSS strings are to be escaped {{\HH}} and not {{\xHH}} > like in JS: > https://developer.mozilla.org/en-US/docs/Web/CSS/string > Consider following example: > {code:html} > <style> > .ft:after { content: "${'\'' @ context='styleString'}"; } > .in:after { content: "${'\"' @ context='styleString'}"; } > </style> > {code} > Which currently gets incorrectly rendered as follows: > {code:html} > <style> > .ft:after { content: "\x27"; } > .in:after { content: "\x22"; } > </style> > {code} > Following output would have been expected: > {code:html} > <style> > .ft:after { content: "\27"; } > .in:after { content: "\22"; } > </style> > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)