You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ra...@apache.org on 2018/06/29 15:47:23 UTC

[sling-org-apache-sling-xss] branch master updated: SLING-7758 - [XSS] Enable support for data attributes

This is an automated email from the ASF dual-hosted git repository.

radu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git


The following commit(s) were added to refs/heads/master by this push:
     new 778794d  SLING-7758 - [XSS] Enable support for data attributes
778794d is described below

commit 778794d23e5e882397c125365b860ea2dbcf6da1
Author: Radu Cotescu <ra...@apache.org>
AuthorDate: Fri Jun 29 17:47:00 2018 +0200

    SLING-7758 - [XSS] Enable support for data attributes
    
    * updated configuration
    * added tests
---
 src/main/resources/SLING-INF/content/config.xml             | 13 +++++++++++++
 .../java/org/apache/sling/xss/impl/AntiSamyPolicyTest.java  | 11 +++++++++++
 2 files changed, 24 insertions(+)

diff --git a/src/main/resources/SLING-INF/content/config.xml b/src/main/resources/SLING-INF/content/config.xml
index b57a4fa..5b32e35 100644
--- a/src/main/resources/SLING-INF/content/config.xml
+++ b/src/main/resources/SLING-INF/content/config.xml
@@ -39,6 +39,8 @@ http://www.w3.org/TR/html401/struct/global.html
         <directive name="connectionTimeout" value="5000"/>
         <directive name="maxStyleSheetImports" value="3"/>
 
+        <!-- Allows the use of dynamic attributes (i.e. HTML5 "data-") -->
+        <directive name="allowDynamicAttributes" value="true"/>
     </directives>
 
     <common-regexps>
@@ -216,6 +218,12 @@ http://www.w3.org/TR/html401/struct/global.html
             </regexp-list>
         </attribute>
 
+        <attribute name="data-" description="Allows the HTML5 'data-' attribute to be added to elements">
+            <regexp-list>
+                <regexp name="anything"/>
+            </regexp-list>
+        </attribute>
+
 
         <!-- the "style" attribute will be validated by an inline stylesheet scanner, so no need to define anything here - i hate having to special case this but no other choice -->
         <attribute name="style"
@@ -538,6 +546,11 @@ http://www.w3.org/TR/html401/struct/global.html
         <attribute name="lang"/>
     </global-tag-attributes>
 
+    <!-- Declare "dynamic" tag attributes here. The directive "allowDynamicAttributes" must be set to true -->
+    <dynamic-tag-attributes>
+        <attribute name="data-"/> <!-- HTML5 "data-" tag -->
+    </dynamic-tag-attributes>
+
     <tags-to-encode>
         <tag>g</tag>
         <tag>grin</tag>
diff --git a/src/test/java/org/apache/sling/xss/impl/AntiSamyPolicyTest.java b/src/test/java/org/apache/sling/xss/impl/AntiSamyPolicyTest.java
index f39329b..53e8fa1 100644
--- a/src/test/java/org/apache/sling/xss/impl/AntiSamyPolicyTest.java
+++ b/src/test/java/org/apache/sling/xss/impl/AntiSamyPolicyTest.java
@@ -189,6 +189,17 @@ public class AntiSamyPolicyTest {
         testOutputContains("<div style=\"color: #0000\">Test</div>", "style=\"\"", true, true);
     }
 
+    @Test
+    public void testDataAttributes() throws Exception {
+        TestInput[] testInputs = new TestInput[]{
+                new TestInput("<p data-tag=\"abc123\">Hello World!</p>", "data-tag", true),
+                new TestInput("<p dat-tag=\"abc123\">Hello World!</p>", "dat-tag", false),
+        };
+        for (TestInput testInput : testInputs) {
+            testOutputContains(testInput.input, testInput.expectedPartialOutput, testInput.containsExpectedPartialOutput, false, Mode.SAX);
+        }
+    }
+
     private void testOutputContains(String input, String containedString, boolean contains) throws Exception {
         testOutputContains(input, containedString, contains, false);
     }