[jira] [Created] (SLING-5944) Sightly doesn't allow to overwrite the context for `data-sly-element`

Wed, 03 Aug 2016 00:57:07 -0700 

Konrad Windszus created SLING-5944:
--------------------------------------

             Summary: Sightly doesn't allow to overwrite the context for 
`data-sly-element`
                 Key: SLING-5944
                 URL: https://issues.apache.org/jira/browse/SLING-5944
             Project: Sling
          Issue Type: Bug
          Components: Scripting
    Affects Versions: Scripting Sightly Engine 1.0.18
            Reporter: Konrad Windszus


For the following Sightly script
{code}
<a data-sly-element="${'invalidelement' @ context='unsafe'}"></a>
{code}
the generated Servlet looks like this
{code}
Object var_tagvar0 = renderContext.call("xss", renderContext.call("xss", 
"invalidelement", "unsafe"), "elementName");
    if (RenderUtils.toBoolean(var_tagvar0)) {
        out.write("<");
        out.write(RenderUtils.toString(var_tagvar0));
    }
    if (!RenderUtils.toBoolean(var_tagvar0)) {
        out.write("<a");
    }
    out.write(">");
    if (RenderUtils.toBoolean(var_tagvar0)) {
        out.write("</");
        out.write(RenderUtils.toString(var_tagvar0));
        out.write(">");
    }
    if (!RenderUtils.toBoolean(var_tagvar0)) {
        out.write("</a>");
    }
{code}

So the element is XSS protected twice. First with 'unsafe' (which doesn't 
modify the given literal) and then with 'elementname'.
This contradicts the documentation at 
https://docs.adobe.com/docs/en/htl/docs/block-statements.html#element which says
{quote}
For security reasons, data-sly-element accepts only the following element names:
a abbr address article aside b bdi bdo blockquote br caption cite code col 
colgroup
data dd del dfn div dl dt em figcaption figure footer h1 h2 h3 h4 h5 h6 header 
i ins
kbd li main mark nav ol p pre q rp rt ruby s samp section small span strong sub 
sup table tbody td tfoot th thead time tr u var wbr

To set other elements, XSS security must be turned off (@context='unsafe').
{quote}

The HTL spec only says
{quote}
The element name is automatically XSS-protected with the elementName context, 
which by the way doesn't allow elements like <script>, <style>, <form>, or 
<input> (see the Display Context section for the exact list).
{quote}
(https://github.com/Adobe-Marketing-Cloud/htl-spec/blob/master/SPECIFICATION.md#224-element).

I am wondering, if it really is just impossible to give out arbitrary tag names 
with {{data-sly-element}}. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to