[
https://issues.apache.org/jira/browse/SLING-5944?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15426755#comment-15426755
]
Radu Cotescu commented on SLING-5944:
-------------------------------------
I guess the better approach here would be to actually allow switching the
context to 'unsafe'. BTW, the source of truth is the HTL specification. I'll
ask my documentation colleagues to correct the information from
https://docs.adobe.com/docs/en/htl/docs/block-statements.html#element.
> Sightly doesn't allow to overwrite the context for `data-sly-element`
> ---------------------------------------------------------------------
>
> Key: SLING-5944
> URL: https://issues.apache.org/jira/browse/SLING-5944
> Project: Sling
> Issue Type: Bug
> Components: Scripting
> Affects Versions: Scripting Sightly Engine 1.0.18
> Reporter: Konrad Windszus
> Assignee: Radu Cotescu
> Fix For: Scripting Sightly Engine 1.0.20
>
> Time Spent: 2h
> Remaining Estimate: 0h
>
> For the following Sightly script
> {code}
> <a data-sly-element="${'invalidelement' @ context='unsafe'}"></a>
> {code}
> the generated Servlet looks like this
> {code}
> Object var_tagvar0 = renderContext.call("xss", renderContext.call("xss",
> "invalidelement", "unsafe"), "elementName");
> if (RenderUtils.toBoolean(var_tagvar0)) {
> out.write("<");
> out.write(RenderUtils.toString(var_tagvar0));
> }
> if (!RenderUtils.toBoolean(var_tagvar0)) {
> out.write("<a");
> }
> out.write(">");
> if (RenderUtils.toBoolean(var_tagvar0)) {
> out.write("</");
> out.write(RenderUtils.toString(var_tagvar0));
> out.write(">");
> }
> if (!RenderUtils.toBoolean(var_tagvar0)) {
> out.write("</a>");
> }
> {code}
> So the element name is XSS protected twice. First with 'unsafe' (which
> doesn't modify the given literal) and then with 'elementname', which removes
> the literal.
> Therefore the generated HTML from the servlet is {{<a></a>}} instead of
> {{<invalidelement></invalidelement>}}
> This contradicts the documentation at
> https://docs.adobe.com/docs/en/htl/docs/block-statements.html#element which
> says
> {quote}
> For security reasons, data-sly-element accepts only the following element
> names:
> a abbr address article aside b bdi bdo blockquote br caption cite code col
> colgroup
> data dd del dfn div dl dt em figcaption figure footer h1 h2 h3 h4 h5 h6
> header i ins
> kbd li main mark nav ol p pre q rp rt ruby s samp section small span strong
> sub
> sup table tbody td tfoot th thead time tr u var wbr
> To set other elements, XSS security must be turned off (@context='unsafe').
> {quote}
> The HTL spec only says
> {quote}
> The element name is automatically XSS-protected with the elementName context,
> which by the way doesn't allow elements like <script>, <style>, <form>, or
> <input> (see the Display Context section for the exact list).
> {quote}
> (https://github.com/Adobe-Marketing-Cloud/htl-spec/blob/master/SPECIFICATION.md#224-element).
> I am wondering, if it really is just impossible to give out arbitrary tag
> names with {{data-sly-element}}.
> IMHO if another context is given, that one should replace the "elementName"
> context, instead of being added on top.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
