You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ra...@apache.org on 2018/06/29 15:47:23 UTC
[sling-org-apache-sling-xss] branch master updated: SLING-7758 -
[XSS] Enable support for data attributes
This is an automated email from the ASF dual-hosted git repository.
radu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
The following commit(s) were added to refs/heads/master by this push:
new 778794d SLING-7758 - [XSS] Enable support for data attributes
778794d is described below
commit 778794d23e5e882397c125365b860ea2dbcf6da1
Author: Radu Cotescu <ra...@apache.org>
AuthorDate: Fri Jun 29 17:47:00 2018 +0200
SLING-7758 - [XSS] Enable support for data attributes
* updated configuration
* added tests
---
src/main/resources/SLING-INF/content/config.xml | 13 +++++++++++++
.../java/org/apache/sling/xss/impl/AntiSamyPolicyTest.java | 11 +++++++++++
2 files changed, 24 insertions(+)
diff --git a/src/main/resources/SLING-INF/content/config.xml b/src/main/resources/SLING-INF/content/config.xml
index b57a4fa..5b32e35 100644
--- a/src/main/resources/SLING-INF/content/config.xml
+++ b/src/main/resources/SLING-INF/content/config.xml
@@ -39,6 +39,8 @@ http://www.w3.org/TR/html401/struct/global.html
<directive name="connectionTimeout" value="5000"/>
<directive name="maxStyleSheetImports" value="3"/>
+ <!-- Allows the use of dynamic attributes (i.e. HTML5 "data-") -->
+ <directive name="allowDynamicAttributes" value="true"/>
</directives>
<common-regexps>
@@ -216,6 +218,12 @@ http://www.w3.org/TR/html401/struct/global.html
</regexp-list>
</attribute>
+ <attribute name="data-" description="Allows the HTML5 'data-' attribute to be added to elements">
+ <regexp-list>
+ <regexp name="anything"/>
+ </regexp-list>
+ </attribute>
+
<!-- the "style" attribute will be validated by an inline stylesheet scanner, so no need to define anything here - i hate having to special case this but no other choice -->
<attribute name="style"
@@ -538,6 +546,11 @@ http://www.w3.org/TR/html401/struct/global.html
<attribute name="lang"/>
</global-tag-attributes>
+ <!-- Declare "dynamic" tag attributes here. The directive "allowDynamicAttributes" must be set to true -->
+ <dynamic-tag-attributes>
+ <attribute name="data-"/> <!-- HTML5 "data-" tag -->
+ </dynamic-tag-attributes>
+
<tags-to-encode>
<tag>g</tag>
<tag>grin</tag>
diff --git a/src/test/java/org/apache/sling/xss/impl/AntiSamyPolicyTest.java b/src/test/java/org/apache/sling/xss/impl/AntiSamyPolicyTest.java
index f39329b..53e8fa1 100644
--- a/src/test/java/org/apache/sling/xss/impl/AntiSamyPolicyTest.java
+++ b/src/test/java/org/apache/sling/xss/impl/AntiSamyPolicyTest.java
@@ -189,6 +189,17 @@ public class AntiSamyPolicyTest {
testOutputContains("<div style=\"color: #0000\">Test</div>", "style=\"\"", true, true);
}
+ @Test
+ public void testDataAttributes() throws Exception {
+ TestInput[] testInputs = new TestInput[]{
+ new TestInput("<p data-tag=\"abc123\">Hello World!</p>", "data-tag", true),
+ new TestInput("<p dat-tag=\"abc123\">Hello World!</p>", "dat-tag", false),
+ };
+ for (TestInput testInput : testInputs) {
+ testOutputContains(testInput.input, testInput.expectedPartialOutput, testInput.containsExpectedPartialOutput, false, Mode.SAX);
+ }
+ }
+
private void testOutputContains(String input, String containedString, boolean contains) throws Exception {
testOutputContains(input, containedString, contains, false);
}