[
https://issues.apache.org/jira/browse/SLING-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17579256#comment-17579256
]
Konrad Windszus edited comment on SLING-11538 at 8/13/22 3:56 PM:
------------------------------------------------------------------
[~castelo] Commons Lang3 is already an existing dependency of the HTL Engine
bundle, while Commons Text is not. Also Commons Text does not ship e.g. with
AEM 6.5. As I consider the underlying code pretty stable (and for sure upwards
compatible till Commons Lang 4 appears) I would rather stay with the deprecated
Commons Lang3 implementation for the time being.
bq. Also, I think will be good to wrap the output with xssApi.getValidJson() to
ensure the result is correct
I don't think that we need another XSS protection for JSON String but rather
for a dedicated context encapsulating the full JSON structure. I cannot think
of a XSS scenario with properly escaped JSON strings only. Feel free to raise a
new issue for a display context for the full JSON. Unfortunately
{{XSSApi.getValidJson()}} cannot be used for such a context (as that just
returns the second argument in case JSON is invalid). This rather requires a
library like https://github.com/OWASP/json-sanitizer.
was (Author: kwin):
[~castelo] Commons Lang3 is already an existing dependency of the HTL Engine
bundle, while Commons Text is not. Also Commons Text does not ship e.g. with
AEM 6.5. As I consider the underlying code pretty stable (and for sure upwards
compatible till Commons Lang 4 appears) I would rather stay with the deprecated
Commons Lang3 implementation for the time being.
bq. Also, I think will be good to wrap the output with xssApi.getValidJson() to
ensure the result is correct
I don't think that we need another XSS protection for JSON String but rather
for a dedicated context encapsulating the full JSON structure. I cannot think
of a XSS scenario with properly escaped JSON strings only. Feel free to raise a
new issue for a display context for the full JSON. Unfortunately
{{XSSApi.getValidJson()}} cannot be used for such a context (as that just
returns the second argument in case JSON is invalid), but rather requires a
library like https://github.com/OWASP/json-sanitizer.
> Add display context for JSON string
> -----------------------------------
>
> Key: SLING-11538
> URL: https://issues.apache.org/jira/browse/SLING-11538
> Project: Sling
> Issue Type: Improvement
> Components: HTL
> Reporter: Konrad Windszus
> Assignee: Konrad Windszus
> Priority: Major
> Fix For: Scripting HTL Engine 1.4.22-1.4.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> It would be useful to add an output context to HTL to be used inside JSON. As
> JSON is very complex, the most essential one which currently cannot be
> achieved with any other existing contexts is escaping for a JSON String value
> (compare with https://github.com/adobe/htl-spec/issues/5).
> I propose to introduce a new context {{jsonString}} next to {{scriptString}}
> in
> https://github.com/apache/sling-org-apache-sling-scripting-sightly/blob/192d953514e6e579428cda157a7e83fc2a05cc01/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java#L93.
> As it is not part of the official HTL spec at
> https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md#121-display-context
> it needs to be listed as Sling-specific addition in
> https://sling.apache.org/documentation/bundles/scripting/scripting-htl.html#extensions-of-the-htl-specification.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
