[
https://issues.apache.org/jira/browse/SLING-7024?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Konrad Windszus updated SLING-7024:
-----------------------------------
Description:
For the following Sightly script
{code}
<a data-sly-attribute.style="${'background-color: #00ff00' @
context='style-token'}"></a>
{code}
The generated a element will not contain a style attribute.
Instead the following error is emitted in the log
{code}
31.07.2017 09:26:12.448 *WARN* [172.19.0.1 [1501493172400] GET /<some URL>
HTTP/1.1] org.apache.sling.scripting.sightly.impl.engine.SightlyScriptEngine
Script <some script path> 11:32: ${'background-color: #00ff00' @
context='style-token'}: Refusing to generate attribute 'style' for security
reasons.
{code}
This is due to the fact that the default XSS context is "attribute" which does
not allow style attrivutes
was:
For the following Sightly script
{code}
<a data-sly-element="${'invalidelement' @ context='unsafe'}"></a>
{code}
the generated Servlet looks like this
{code}
Object var_tagvar0 = renderContext.call("xss", renderContext.call("xss",
"invalidelement", "unsafe"), "elementName");
if (RenderUtils.toBoolean(var_tagvar0)) {
out.write("<");
out.write(RenderUtils.toString(var_tagvar0));
}
if (!RenderUtils.toBoolean(var_tagvar0)) {
out.write("<a");
}
out.write(">");
if (RenderUtils.toBoolean(var_tagvar0)) {
out.write("</");
out.write(RenderUtils.toString(var_tagvar0));
out.write(">");
}
if (!RenderUtils.toBoolean(var_tagvar0)) {
out.write("</a>");
}
{code}
So the element name is XSS protected twice. First with 'unsafe' (which doesn't
modify the given literal) and then with 'elementname', which removes the
literal.
Therefore the generated HTML from the servlet is {{<a></a>}} instead of
{{<invalidelement></invalidelement>}}
This contradicts the documentation at
https://docs.adobe.com/docs/en/htl/docs/block-statements.html#element which says
{quote}
For security reasons, data-sly-element accepts only the following element names:
a abbr address article aside b bdi bdo blockquote br caption cite code col
colgroup
data dd del dfn div dl dt em figcaption figure footer h1 h2 h3 h4 h5 h6 header
i ins
kbd li main mark nav ol p pre q rp rt ruby s samp section small span strong sub
sup table tbody td tfoot th thead time tr u var wbr
To set other elements, XSS security must be turned off (@context='unsafe').
{quote}
The HTL spec only says
{quote}
The element name is automatically XSS-protected with the elementName context,
which by the way doesn't allow elements like <script>, <style>, <form>, or
<input> (see the Display Context section for the exact list).
{quote}
(https://github.com/Adobe-Marketing-Cloud/htl-spec/blob/master/SPECIFICATION.md#224-element).
I am wondering, if it really is just impossible to give out arbitrary tag names
with {{data-sly-element}}.
IMHO if another context is given, that one should replace the "elementName"
context, instead of being added on top.
> Sightly doesn't allow to overwrite the context for `data-sly-attribute`
> -----------------------------------------------------------------------
>
> Key: SLING-7024
> URL: https://issues.apache.org/jira/browse/SLING-7024
> Project: Sling
> Issue Type: Bug
> Components: Scripting
> Affects Versions: Scripting HTL Compiler 1.0.8
> Reporter: Konrad Windszus
> Assignee: Radu Cotescu
>
> For the following Sightly script
> {code}
> <a data-sly-attribute.style="${'background-color: #00ff00' @
> context='style-token'}"></a>
> {code}
> The generated a element will not contain a style attribute.
> Instead the following error is emitted in the log
> {code}
> 31.07.2017 09:26:12.448 *WARN* [172.19.0.1 [1501493172400] GET /<some URL>
> HTTP/1.1] org.apache.sling.scripting.sightly.impl.engine.SightlyScriptEngine
> Script <some script path> 11:32: ${'background-color: #00ff00' @
> context='style-token'}: Refusing to generate attribute 'style' for security
> reasons.
> {code}
> This is due to the fact that the default XSS context is "attribute" which
> does not allow style attrivutes
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
