[jira] [Updated] (SLING-7024) Sightly doesn't allow to overwrite the context for `data-sly-attribute`

Mon, 31 Jul 2017 02:46:31 -0700 

     [ 
https://issues.apache.org/jira/browse/SLING-7024?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Konrad Windszus updated SLING-7024:
-----------------------------------
    Description: 
For the following Sightly script
{code}
<a data-sly-attribute.style="${'background-color: #00ff00' @ 
context='style-token'}"></a>
{code}
The generated a element will not contain a style attribute.
Instead the following error is emitted in the log
{code}
31.07.2017 09:26:12.448 *WARN* [172.19.0.1 [1501493172400] GET /<some URL> 
HTTP/1.1] org.apache.sling.scripting.sightly.impl.engine.SightlyScriptEngine 
Script <some script path> 11:32: ${'background-color: #00ff00' @ 
context='style-token'}: Refusing to generate attribute 'style' for security 
reasons.
{code}

This is unexpected from the HTL spec

  was:
For the following Sightly script
{code}
<a data-sly-attribute.style="${'background-color: #00ff00' @ 
context='style-token'}"></a>
{code}
The generated a element will not contain a style attribute.
Instead the following error is emitted in the log
{code}
31.07.2017 09:26:12.448 *WARN* [172.19.0.1 [1501493172400] GET /<some URL> 
HTTP/1.1] org.apache.sling.scripting.sightly.impl.engine.SightlyScriptEngine 
Script <some script path> 11:32: ${'background-color: #00ff00' @ 
context='style-token'}: Refusing to generate attribute 'style' for security 
reasons.
{code}

This is due to the fact that the default XSS context is "attribute" which does 
not allow style attrivutes 


> Sightly doesn't allow to overwrite the context for `data-sly-attribute`
> -----------------------------------------------------------------------
>
>                 Key: SLING-7024
>                 URL: https://issues.apache.org/jira/browse/SLING-7024
>             Project: Sling
>          Issue Type: Bug
>          Components: Scripting
>    Affects Versions: Scripting HTL Compiler 1.0.8
>            Reporter: Konrad Windszus
>            Assignee: Radu Cotescu
>
> For the following Sightly script
> {code}
> <a data-sly-attribute.style="${'background-color: #00ff00' @ 
> context='style-token'}"></a>
> {code}
> The generated a element will not contain a style attribute.
> Instead the following error is emitted in the log
> {code}
> 31.07.2017 09:26:12.448 *WARN* [172.19.0.1 [1501493172400] GET /<some URL> 
> HTTP/1.1] org.apache.sling.scripting.sightly.impl.engine.SightlyScriptEngine 
> Script <some script path> 11:32: ${'background-color: #00ff00' @ 
> context='style-token'}: Refusing to generate attribute 'style' for security 
> reasons.
> {code}
> This is unexpected from the HTL spec



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to