You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Radu Cotescu (JIRA)" <ji...@apache.org> on 2017/05/19 11:50:04 UTC

[jira] [Created] (SLING-6866) HTL doesn't allow to overwrite the context for data-sly-text

Radu Cotescu created SLING-6866:
-----------------------------------

             Summary: HTL doesn't allow to overwrite the context for data-sly-text
                 Key: SLING-6866
                 URL: https://issues.apache.org/jira/browse/SLING-6866
             Project: Sling
          Issue Type: Bug
          Components: Scripting
    Affects Versions: Scripting Sightly Engine 1.0.18
            Reporter: Konrad Windszus
            Assignee: Radu Cotescu
             Fix For: Scripting HTL Engine 1.0.20, Scripting HTL Compiler 1.0.0


For the following Sightly script
{code}
<a data-sly-element="${'invalidelement' @ context='unsafe'}"></a>
{code}
the generated Servlet looks like this
{code}
Object var_tagvar0 = renderContext.call("xss", renderContext.call("xss", "invalidelement", "unsafe"), "elementName");
    if (RenderUtils.toBoolean(var_tagvar0)) {
        out.write("<");
        out.write(RenderUtils.toString(var_tagvar0));
    }
    if (!RenderUtils.toBoolean(var_tagvar0)) {
        out.write("<a");
    }
    out.write(">");
    if (RenderUtils.toBoolean(var_tagvar0)) {
        out.write("</");
        out.write(RenderUtils.toString(var_tagvar0));
        out.write(">");
    }
    if (!RenderUtils.toBoolean(var_tagvar0)) {
        out.write("</a>");
    }
{code}

So the element name is XSS protected twice. First with 'unsafe' (which doesn't modify the given literal) and then with 'elementname', which removes the literal.
Therefore the generated HTML from the servlet is {{<a></a>}} instead of {{<invalidelement></invalidelement>}}

This contradicts the documentation at https://docs.adobe.com/docs/en/htl/docs/block-statements.html#element which says
{quote}
For security reasons, data-sly-element accepts only the following element names:
a abbr address article aside b bdi bdo blockquote br caption cite code col colgroup
data dd del dfn div dl dt em figcaption figure footer h1 h2 h3 h4 h5 h6 header i ins
kbd li main mark nav ol p pre q rp rt ruby s samp section small span strong sub 
sup table tbody td tfoot th thead time tr u var wbr

To set other elements, XSS security must be turned off (@context='unsafe').
{quote}

The HTL spec only says
{quote}
The element name is automatically XSS-protected with the elementName context, which by the way doesn't allow elements like <script>, <style>, <form>, or <input> (see the Display Context section for the exact list).
{quote}
(https://github.com/Adobe-Marketing-Cloud/htl-spec/blob/master/SPECIFICATION.md#224-element).

I am wondering, if it really is just impossible to give out arbitrary tag names with {{data-sly-element}}. 
IMHO if another context is given, that one should replace the "elementName" context, instead of being added on top.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)