Lukas Kummer created SLING-6959: ----------------------------------- Summary: XssProtection changes html semantic caused by formatting Key: SLING-6959 URL: https://issues.apache.org/jira/browse/SLING-6959 Project: Sling Issue Type: Bug Affects Versions: Scripting Sightly Engine 1.0.2, XSS Protection API 1.0.2 Environment: AEM Reporter: Lukas Kummer Priority: Minor Attachments: space.png
When using sightly the following html: {code:html} <td class="infoline" > ${component.infoline @ context='html'} </td> {code} it will be compiled to: {code:java} String var_28 = ((" "+renderContext.toString(renderContext.call("xss", renderContext.resolveProperty(_global_component, "infoline"), "html")))+" "); {code} which calls org.apache.sling.scripting.sightly.impl.engine.extension.XSSRuntimeExtension.call(RenderContext, Object...) and later: org.apache.sling.xss.impl.XSSAPIImpl.filterHTML(String) When this method is called with this String: {code:html} Is it a <span style="color:#e60000">threat</span> or an <span style="color:#e60000">opportunity</span>?<br> Is it a threat or an opportunity? {code} will be turned into {code:html} Is it a <span style="color: rgb(230,0,0);">threat</span> or an <span style="color: rgb(230,0,0);">opportunity</span> ?<br /> Is it a threat or an opportunity? {code} which leads to the problem, that there will be a space between the word opportunity and the question mark. However, the formatting could be configured by changing the SLING-INF/content/config.xml (from <directive name="formatOutput" value="true"/> to <directive name="formatOutput" value="false"/>) But anyway the formatting shouldn't change the semantics, which why the formatting directive should be always false -- This message was sent by Atlassian JIRA (v6.4.14#64029)