[jira] [Commented] (SLING-4177) Sightly: StyleString context doesn't properly escape
[
https://issues.apache.org/jira/browse/SLING-4177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14266183#comment-14266183
]
ASF GitHub Bot commented on SLING-4177:
---
Github user vladbailescu closed the pull request at:
https://github.com/apache/sling/pull/52
Sightly: StyleString context doesn't properly escape
Key: SLING-4177
URL: https://issues.apache.org/jira/browse/SLING-4177
Project: Sling
Issue Type: Bug
Components: Extensions, Scripting
Reporter: Vlad Bailescu
Assignee: Felix Meschberger
Priority: Minor
Labels: Sightly
Fix For: XSS Protection API 1.0.0, Scripting Sightly Engine 1.0.0
The {{context='styleString'}} expression option seems to escape strings the
same way as {{context='scriptString'}}, but this breaks the string, making
that context unusable. CSS strings are to be escaped {{\HH}} and not {{\xHH}}
like in JS:
https://developer.mozilla.org/en-US/docs/Web/CSS/string
Consider following example:
{code:html}
style
.ft:after { content: ${'\'' @ context='styleString'}; }
.in:after { content: ${'\' @ context='styleString'}; }
/style
{code}
Which currently gets incorrectly rendered as follows:
{code:html}
style
.ft:after { content: \x27; }
.in:after { content: \x22; }
/style
{code}
Following output would have been expected:
{code:html}
style
.ft:after { content: \27; }
.in:after { content: \22; }
/style
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-4177) Sightly: StyleString context doesn't properly escape
[
https://issues.apache.org/jira/browse/SLING-4177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14233068#comment-14233068
]
ASF GitHub Bot commented on SLING-4177:
---
GitHub user vladbailescu opened a pull request:
https://github.com/apache/sling/pull/52
SLING-4177 - Added escaping for styleString context
* added a new method for style string escaping to XSS API
* added implementation and tests
* added string escaping in Sightly for styleString context
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/vladbailescu/sling
SLING-4177-styleString-context-escaping
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/sling/pull/52.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #52
commit a836590e972831b4ac57c2b690b1be757ddcc32d
Author: vladbailescu baile...@adobe.com
Date: 2014-12-03T14:48:29Z
SLING-4177 - Added escaping for styleString context
* added a new method for style string escaping to XSS API
* added implementation and tests
* added string escaping in Sightly for styleString context
Sightly: StyleString context doesn't properly escape
Key: SLING-4177
URL: https://issues.apache.org/jira/browse/SLING-4177
Project: Sling
Issue Type: Bug
Components: Scripting
Reporter: Vlad Bailescu
Priority: Minor
Labels: Sightly
Fix For: Scripting Sightly Engine 1.0.0
The {{context='styleString'}} expression option seems to escape strings the
same way as {{context='scriptString'}}, but this breaks the string, making
that context unusable. CSS strings are to be escaped {{\HH}} and not {{\xHH}}
like in JS:
https://developer.mozilla.org/en-US/docs/Web/CSS/string
Consider following example:
{code:html}
style
.ft:after { content: ${'\'' @ context='styleString'}; }
.in:after { content: ${'\' @ context='styleString'}; }
/style
{code}
Which currently gets incorrectly rendered as follows:
{code:html}
style
.ft:after { content: \x27; }
.in:after { content: \x22; }
/style
{code}
Following output would have been expected:
{code:html}
style
.ft:after { content: \27; }
.in:after { content: \22; }
/style
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-4177) Sightly: StyleString context doesn't properly escape
[
https://issues.apache.org/jira/browse/SLING-4177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14228317#comment-14228317
]
ASF GitHub Bot commented on SLING-4177:
---
Github user vladbailescu closed the pull request at:
https://github.com/apache/sling/pull/46
Sightly: StyleString context doesn't properly escape
Key: SLING-4177
URL: https://issues.apache.org/jira/browse/SLING-4177
Project: Sling
Issue Type: Bug
Components: Scripting
Reporter: Vlad Bailescu
Priority: Minor
Labels: Sightly
Fix For: Scripting Sightly Engine 1.0.0
The {{context='styleString'}} expression option seems to escape strings the
same way as {{context='scriptString'}}, but this breaks the string, making
that context unusable. CSS strings are to be escaped {{\HH}} and not {{\xHH}}
like in JS:
https://developer.mozilla.org/en-US/docs/Web/CSS/string
Consider following example:
{code:html}
style
.ft:after { content: ${'\'' @ context='styleString'}; }
.in:after { content: ${'\' @ context='styleString'}; }
/style
{code}
Which currently gets incorrectly rendered as follows:
{code:html}
style
.ft:after { content: \x27; }
.in:after { content: \x22; }
/style
{code}
Following output would have been expected:
{code:html}
style
.ft:after { content: \27; }
.in:after { content: \22; }
/style
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-4177) Sightly: StyleString context doesn't properly escape
[
https://issues.apache.org/jira/browse/SLING-4177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14228332#comment-14228332
]
Felix Meschberger commented on SLING-4177:
--
[~vladb] I am a bit confused about this status. Are you going to provide a
different pull request for this ?
Sightly: StyleString context doesn't properly escape
Key: SLING-4177
URL: https://issues.apache.org/jira/browse/SLING-4177
Project: Sling
Issue Type: Bug
Components: Scripting
Reporter: Vlad Bailescu
Priority: Minor
Labels: Sightly
Fix For: Scripting Sightly Engine 1.0.0
The {{context='styleString'}} expression option seems to escape strings the
same way as {{context='scriptString'}}, but this breaks the string, making
that context unusable. CSS strings are to be escaped {{\HH}} and not {{\xHH}}
like in JS:
https://developer.mozilla.org/en-US/docs/Web/CSS/string
Consider following example:
{code:html}
style
.ft:after { content: ${'\'' @ context='styleString'}; }
.in:after { content: ${'\' @ context='styleString'}; }
/style
{code}
Which currently gets incorrectly rendered as follows:
{code:html}
style
.ft:after { content: \x27; }
.in:after { content: \x22; }
/style
{code}
Following output would have been expected:
{code:html}
style
.ft:after { content: \27; }
.in:after { content: \22; }
/style
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-4177) Sightly: StyleString context doesn't properly escape
[
https://issues.apache.org/jira/browse/SLING-4177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14228388#comment-14228388
]
Vlad Bailescu commented on SLING-4177:
--
Yes,
I'll send in a new pull request, I messed up my branch while trying to
pull/merge the latest from trunk.
Sorry about that,
Vlad
Sent from my mobile.
Sightly: StyleString context doesn't properly escape
Key: SLING-4177
URL: https://issues.apache.org/jira/browse/SLING-4177
Project: Sling
Issue Type: Bug
Components: Scripting
Reporter: Vlad Bailescu
Priority: Minor
Labels: Sightly
Fix For: Scripting Sightly Engine 1.0.0
The {{context='styleString'}} expression option seems to escape strings the
same way as {{context='scriptString'}}, but this breaks the string, making
that context unusable. CSS strings are to be escaped {{\HH}} and not {{\xHH}}
like in JS:
https://developer.mozilla.org/en-US/docs/Web/CSS/string
Consider following example:
{code:html}
style
.ft:after { content: ${'\'' @ context='styleString'}; }
.in:after { content: ${'\' @ context='styleString'}; }
/style
{code}
Which currently gets incorrectly rendered as follows:
{code:html}
style
.ft:after { content: \x27; }
.in:after { content: \x22; }
/style
{code}
Following output would have been expected:
{code:html}
style
.ft:after { content: \27; }
.in:after { content: \22; }
/style
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-4177) Sightly: StyleString context doesn't properly escape
[
https://issues.apache.org/jira/browse/SLING-4177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14228390#comment-14228390
]
Felix Meschberger commented on SLING-4177:
--
No problem. Thanks. Standing by.
Sightly: StyleString context doesn't properly escape
Key: SLING-4177
URL: https://issues.apache.org/jira/browse/SLING-4177
Project: Sling
Issue Type: Bug
Components: Scripting
Reporter: Vlad Bailescu
Priority: Minor
Labels: Sightly
Fix For: Scripting Sightly Engine 1.0.0
The {{context='styleString'}} expression option seems to escape strings the
same way as {{context='scriptString'}}, but this breaks the string, making
that context unusable. CSS strings are to be escaped {{\HH}} and not {{\xHH}}
like in JS:
https://developer.mozilla.org/en-US/docs/Web/CSS/string
Consider following example:
{code:html}
style
.ft:after { content: ${'\'' @ context='styleString'}; }
.in:after { content: ${'\' @ context='styleString'}; }
/style
{code}
Which currently gets incorrectly rendered as follows:
{code:html}
style
.ft:after { content: \x27; }
.in:after { content: \x22; }
/style
{code}
Following output would have been expected:
{code:html}
style
.ft:after { content: \27; }
.in:after { content: \22; }
/style
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-4177) Sightly: StyleString context doesn't properly escape
[
https://issues.apache.org/jira/browse/SLING-4177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14219300#comment-14219300
]
ASF GitHub Bot commented on SLING-4177:
---
GitHub user vladbailescu opened a pull request:
https://github.com/apache/sling/pull/46
SLING-4177 - Added escaping for styleString context
* added a new method for style string escaping to XSS API
* added implementation (using OWASP encoder) and tests
* added string escaping in Sightly for styleString context
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/vladbailescu/sling
SLING-4177-escape-stylestring
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/sling/pull/46.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #46
commit 53938e14a860bfd46b1dabbbcba168ae5517a04b
Author: vladbailescu baile...@adobe.com
Date: 2014-11-20T11:43:20Z
SLING-4177 - Added escaping for styleString context
* added a new method for style string escaping to XSS API
* added implementation and tests
* added string escaping in Sightly for styleString context
Sightly: StyleString context doesn't properly escape
Key: SLING-4177
URL: https://issues.apache.org/jira/browse/SLING-4177
Project: Sling
Issue Type: Bug
Components: Scripting
Reporter: Vlad Bailescu
Priority: Minor
Labels: Sightly
Fix For: Scripting Sightly Engine 1.0.0
The {{context='styleString'}} expression option seems to escape strings the
same way as {{context='scriptString'}}, but this breaks the string, making
that context unusable. CSS strings are to be escaped {{\HH}} and not {{\xHH}}
like in JS:
https://developer.mozilla.org/en-US/docs/Web/CSS/string
Consider following example:
{code:html}
style
.ft:after { content: ${'\'' @ context='styleString'}; }
.in:after { content: ${'\' @ context='styleString'}; }
/style
{code}
Which currently gets incorrectly rendered as follows:
{code:html}
style
.ft:after { content: \x27; }
.in:after { content: \x22; }
/style
{code}
Following output would have been expected:
{code:html}
style
.ft:after { content: \27; }
.in:after { content: \22; }
/style
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
