[jira] [Commented] (SLING-4177) Sightly: StyleString context doesn't properly escape
[ https://issues.apache.org/jira/browse/SLING-4177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14266183#comment-14266183 ] ASF GitHub Bot commented on SLING-4177: --- Github user vladbailescu closed the pull request at: https://github.com/apache/sling/pull/52 Sightly: StyleString context doesn't properly escape Key: SLING-4177 URL: https://issues.apache.org/jira/browse/SLING-4177 Project: Sling Issue Type: Bug Components: Extensions, Scripting Reporter: Vlad Bailescu Assignee: Felix Meschberger Priority: Minor Labels: Sightly Fix For: XSS Protection API 1.0.0, Scripting Sightly Engine 1.0.0 The {{context='styleString'}} expression option seems to escape strings the same way as {{context='scriptString'}}, but this breaks the string, making that context unusable. CSS strings are to be escaped {{\HH}} and not {{\xHH}} like in JS: https://developer.mozilla.org/en-US/docs/Web/CSS/string Consider following example: {code:html} style .ft:after { content: ${'\'' @ context='styleString'}; } .in:after { content: ${'\' @ context='styleString'}; } /style {code} Which currently gets incorrectly rendered as follows: {code:html} style .ft:after { content: \x27; } .in:after { content: \x22; } /style {code} Following output would have been expected: {code:html} style .ft:after { content: \27; } .in:after { content: \22; } /style {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-4177) Sightly: StyleString context doesn't properly escape
[ https://issues.apache.org/jira/browse/SLING-4177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14233068#comment-14233068 ] ASF GitHub Bot commented on SLING-4177: --- GitHub user vladbailescu opened a pull request: https://github.com/apache/sling/pull/52 SLING-4177 - Added escaping for styleString context * added a new method for style string escaping to XSS API * added implementation and tests * added string escaping in Sightly for styleString context You can merge this pull request into a Git repository by running: $ git pull https://github.com/vladbailescu/sling SLING-4177-styleString-context-escaping Alternatively you can review and apply these changes as the patch at: https://github.com/apache/sling/pull/52.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #52 commit a836590e972831b4ac57c2b690b1be757ddcc32d Author: vladbailescu baile...@adobe.com Date: 2014-12-03T14:48:29Z SLING-4177 - Added escaping for styleString context * added a new method for style string escaping to XSS API * added implementation and tests * added string escaping in Sightly for styleString context Sightly: StyleString context doesn't properly escape Key: SLING-4177 URL: https://issues.apache.org/jira/browse/SLING-4177 Project: Sling Issue Type: Bug Components: Scripting Reporter: Vlad Bailescu Priority: Minor Labels: Sightly Fix For: Scripting Sightly Engine 1.0.0 The {{context='styleString'}} expression option seems to escape strings the same way as {{context='scriptString'}}, but this breaks the string, making that context unusable. CSS strings are to be escaped {{\HH}} and not {{\xHH}} like in JS: https://developer.mozilla.org/en-US/docs/Web/CSS/string Consider following example: {code:html} style .ft:after { content: ${'\'' @ context='styleString'}; } .in:after { content: ${'\' @ context='styleString'}; } /style {code} Which currently gets incorrectly rendered as follows: {code:html} style .ft:after { content: \x27; } .in:after { content: \x22; } /style {code} Following output would have been expected: {code:html} style .ft:after { content: \27; } .in:after { content: \22; } /style {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-4177) Sightly: StyleString context doesn't properly escape
[ https://issues.apache.org/jira/browse/SLING-4177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14228317#comment-14228317 ] ASF GitHub Bot commented on SLING-4177: --- Github user vladbailescu closed the pull request at: https://github.com/apache/sling/pull/46 Sightly: StyleString context doesn't properly escape Key: SLING-4177 URL: https://issues.apache.org/jira/browse/SLING-4177 Project: Sling Issue Type: Bug Components: Scripting Reporter: Vlad Bailescu Priority: Minor Labels: Sightly Fix For: Scripting Sightly Engine 1.0.0 The {{context='styleString'}} expression option seems to escape strings the same way as {{context='scriptString'}}, but this breaks the string, making that context unusable. CSS strings are to be escaped {{\HH}} and not {{\xHH}} like in JS: https://developer.mozilla.org/en-US/docs/Web/CSS/string Consider following example: {code:html} style .ft:after { content: ${'\'' @ context='styleString'}; } .in:after { content: ${'\' @ context='styleString'}; } /style {code} Which currently gets incorrectly rendered as follows: {code:html} style .ft:after { content: \x27; } .in:after { content: \x22; } /style {code} Following output would have been expected: {code:html} style .ft:after { content: \27; } .in:after { content: \22; } /style {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-4177) Sightly: StyleString context doesn't properly escape
[ https://issues.apache.org/jira/browse/SLING-4177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14228332#comment-14228332 ] Felix Meschberger commented on SLING-4177: -- [~vladb] I am a bit confused about this status. Are you going to provide a different pull request for this ? Sightly: StyleString context doesn't properly escape Key: SLING-4177 URL: https://issues.apache.org/jira/browse/SLING-4177 Project: Sling Issue Type: Bug Components: Scripting Reporter: Vlad Bailescu Priority: Minor Labels: Sightly Fix For: Scripting Sightly Engine 1.0.0 The {{context='styleString'}} expression option seems to escape strings the same way as {{context='scriptString'}}, but this breaks the string, making that context unusable. CSS strings are to be escaped {{\HH}} and not {{\xHH}} like in JS: https://developer.mozilla.org/en-US/docs/Web/CSS/string Consider following example: {code:html} style .ft:after { content: ${'\'' @ context='styleString'}; } .in:after { content: ${'\' @ context='styleString'}; } /style {code} Which currently gets incorrectly rendered as follows: {code:html} style .ft:after { content: \x27; } .in:after { content: \x22; } /style {code} Following output would have been expected: {code:html} style .ft:after { content: \27; } .in:after { content: \22; } /style {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-4177) Sightly: StyleString context doesn't properly escape
[ https://issues.apache.org/jira/browse/SLING-4177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14228388#comment-14228388 ] Vlad Bailescu commented on SLING-4177: -- Yes, I'll send in a new pull request, I messed up my branch while trying to pull/merge the latest from trunk. Sorry about that, Vlad Sent from my mobile. Sightly: StyleString context doesn't properly escape Key: SLING-4177 URL: https://issues.apache.org/jira/browse/SLING-4177 Project: Sling Issue Type: Bug Components: Scripting Reporter: Vlad Bailescu Priority: Minor Labels: Sightly Fix For: Scripting Sightly Engine 1.0.0 The {{context='styleString'}} expression option seems to escape strings the same way as {{context='scriptString'}}, but this breaks the string, making that context unusable. CSS strings are to be escaped {{\HH}} and not {{\xHH}} like in JS: https://developer.mozilla.org/en-US/docs/Web/CSS/string Consider following example: {code:html} style .ft:after { content: ${'\'' @ context='styleString'}; } .in:after { content: ${'\' @ context='styleString'}; } /style {code} Which currently gets incorrectly rendered as follows: {code:html} style .ft:after { content: \x27; } .in:after { content: \x22; } /style {code} Following output would have been expected: {code:html} style .ft:after { content: \27; } .in:after { content: \22; } /style {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-4177) Sightly: StyleString context doesn't properly escape
[ https://issues.apache.org/jira/browse/SLING-4177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14228390#comment-14228390 ] Felix Meschberger commented on SLING-4177: -- No problem. Thanks. Standing by. Sightly: StyleString context doesn't properly escape Key: SLING-4177 URL: https://issues.apache.org/jira/browse/SLING-4177 Project: Sling Issue Type: Bug Components: Scripting Reporter: Vlad Bailescu Priority: Minor Labels: Sightly Fix For: Scripting Sightly Engine 1.0.0 The {{context='styleString'}} expression option seems to escape strings the same way as {{context='scriptString'}}, but this breaks the string, making that context unusable. CSS strings are to be escaped {{\HH}} and not {{\xHH}} like in JS: https://developer.mozilla.org/en-US/docs/Web/CSS/string Consider following example: {code:html} style .ft:after { content: ${'\'' @ context='styleString'}; } .in:after { content: ${'\' @ context='styleString'}; } /style {code} Which currently gets incorrectly rendered as follows: {code:html} style .ft:after { content: \x27; } .in:after { content: \x22; } /style {code} Following output would have been expected: {code:html} style .ft:after { content: \27; } .in:after { content: \22; } /style {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-4177) Sightly: StyleString context doesn't properly escape
[ https://issues.apache.org/jira/browse/SLING-4177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14219300#comment-14219300 ] ASF GitHub Bot commented on SLING-4177: --- GitHub user vladbailescu opened a pull request: https://github.com/apache/sling/pull/46 SLING-4177 - Added escaping for styleString context * added a new method for style string escaping to XSS API * added implementation (using OWASP encoder) and tests * added string escaping in Sightly for styleString context You can merge this pull request into a Git repository by running: $ git pull https://github.com/vladbailescu/sling SLING-4177-escape-stylestring Alternatively you can review and apply these changes as the patch at: https://github.com/apache/sling/pull/46.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #46 commit 53938e14a860bfd46b1dabbbcba168ae5517a04b Author: vladbailescu baile...@adobe.com Date: 2014-11-20T11:43:20Z SLING-4177 - Added escaping for styleString context * added a new method for style string escaping to XSS API * added implementation and tests * added string escaping in Sightly for styleString context Sightly: StyleString context doesn't properly escape Key: SLING-4177 URL: https://issues.apache.org/jira/browse/SLING-4177 Project: Sling Issue Type: Bug Components: Scripting Reporter: Vlad Bailescu Priority: Minor Labels: Sightly Fix For: Scripting Sightly Engine 1.0.0 The {{context='styleString'}} expression option seems to escape strings the same way as {{context='scriptString'}}, but this breaks the string, making that context unusable. CSS strings are to be escaped {{\HH}} and not {{\xHH}} like in JS: https://developer.mozilla.org/en-US/docs/Web/CSS/string Consider following example: {code:html} style .ft:after { content: ${'\'' @ context='styleString'}; } .in:after { content: ${'\' @ context='styleString'}; } /style {code} Which currently gets incorrectly rendered as follows: {code:html} style .ft:after { content: \x27; } .in:after { content: \x22; } /style {code} Following output would have been expected: {code:html} style .ft:after { content: \27; } .in:after { content: \22; } /style {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)