[
https://issues.apache.org/jira/browse/SLING-7024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16107462#comment-16107462
]
Konrad Windszus edited comment on SLING-7024 at 7/31/17 3:57 PM:
-----------------------------------------------------------------
Thanks for your comments.
1. You are right, sorry for the mistake, the example should rather use context
`attribute` here!
2. Yes, I observed that as well, but this is not obvious from the warning, I
would therefore rather directly have the workaround mentioned in the WARN. Your
workaround to use classes instead of direct styles is not always feasible (e.g.
in a CMS where the number of allowed background colors is the full RGB value
set (https://www.w3.org/TR/css3-color/#rgb-color). IMHO the same overwrite
possibility should be provided inside `data-sly-attribute` as with a simple
expression. So giving an explicit context should be enough here to explicitly
state that you really want to set that potentially sensitive value.
3. Sorry again, did not see that at first glance in the source code.
Still I would really appreciate both a clarification in the specs, a way to
overwrite the suppression with an explicit context, as well as a clearer
warning in the log.
was (Author: kwin):
Thanks for your comments.
1. You are right, sorry for the mistake, the example should rather use context
`attribute` here!
2. Yes, I observed that as well, but this is not obvious from the warning, I
would therefore rather directly have the workaround mentioned in the WARN. Your
workaround to use classes instead of direct styles is not always feasible (e.g.
in a CMS where the number of allowed background colors is the full RGB value
set (https://www.w3.org/TR/css3-color/#rgb-color). IMHO the same overwrite
possibility should be provided inside `data-sly-attribute` as with a simple
expression. So giving an explicit context should be enough here to explicitly
state that you really want to set that potentially sensitive value.
3. Sorry again, did not see that at first glance in the source code.
Still I would really appreciate both a clarification in the specs as well as a
clearer warning in the log.
> Sightly doesn't allow to emit style or on event attributes for
> `data-sly-attribute`
> -----------------------------------------------------------------------------------
>
> Key: SLING-7024
> URL: https://issues.apache.org/jira/browse/SLING-7024
> Project: Sling
> Issue Type: Bug
> Components: Scripting
> Affects Versions: Scripting HTL Compiler 1.0.8
> Reporter: Konrad Windszus
> Assignee: Radu Cotescu
> Attachments: Screenshot 2017-07-31 17.41.51.png
>
>
> For the following Sightly script
> {code}
> <a data-sly-attribute.style="${'background-color: #00ff00' @
> context='style-token'}"></a>
> {code}
> The generated a element will not contain a style attribute.
> Instead the following error is emitted in the log
> {code}
> 31.07.2017 09:26:12.448 *WARN* [172.19.0.1 [1501493172400] GET /<some URL>
> HTTP/1.1] org.apache.sling.scripting.sightly.impl.engine.SightlyScriptEngine
> Script <some script path> 11:32: ${'background-color: #00ff00' @
> context='style-token'}: Refusing to generate attribute 'style' for security
> reasons.
> {code}
> This is unexpected as neither the HTL spec
> (https://github.com/Adobe-Marketing-Cloud/htl-spec/blob/master/SPECIFICATION.md#223-attribute)
> nor the adobe documentation at
> https://docs.adobe.com/docs/en/htl/docs/block-statements.html#attribute
> mentions that. Please either document that or rather lift that limitation.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
