[
https://issues.apache.org/jira/browse/SLING-4176?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vlad Bailescu reopened SLING-4176:
----------------------------------
I just realized there's one case where we fail to offer XSS protection:
{{url("javascript:alert(1)")}}
I've prepared a patch for this case too.
> Sightly: StyleToken context is doing nothing
> --------------------------------------------
>
> Key: SLING-4176
> URL: https://issues.apache.org/jira/browse/SLING-4176
> Project: Sling
> Issue Type: Bug
> Components: Extensions, Scripting
> Reporter: Vlad Bailescu
> Assignee: Felix Meschberger
> Priority: Minor
> Labels: Sightly
> Fix For: XSS Protection API 1.0.0, Scripting Sightly Engine 1.0.0
>
>
> The context='styleToken' expression option doesn't seem to be doing anything
> (it seems to work as context='unsafe'). Similarly to scriptToken, this should
> actually be a validator that only allows following CSS tokens:
> - Identifiers, e.g.: red, or -moz-box-sizing
> - Numbers and dimensions, e.g.: 42, 42deg, .42s or 42%
> - Strings, e.g.: "it's there"
> - Hex colors, e.g.: #fff
> - Functions (making sure to have matching parenthesis!), e.g.: rgba(20%, 20%,
> 100%, 0.02), or url('data:image/png;base64,iVB...')
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
