You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Lukas Kummer (JIRA)" <ji...@apache.org> on 2017/06/14 16:05:00 UTC
[jira] [Created] (SLING-6959) XssProtection changes html semantic
caused by formatting
Lukas Kummer created SLING-6959:
-----------------------------------
Summary: XssProtection changes html semantic caused by formatting
Key: SLING-6959
URL: https://issues.apache.org/jira/browse/SLING-6959
Project: Sling
Issue Type: Bug
Affects Versions: Scripting Sightly Engine 1.0.2, XSS Protection API 1.0.2
Environment: AEM
Reporter: Lukas Kummer
Priority: Minor
Attachments: space.png
When using sightly the following html:
{code:html}
<td class="infoline" > ${component.infoline @ context='html'} </td>
{code}
it will be compiled to:
{code:java}
String var_28 = ((" "+renderContext.toString(renderContext.call("xss", renderContext.resolveProperty(_global_component, "infoline"), "html")))+" ");
{code}
which calls
org.apache.sling.scripting.sightly.impl.engine.extension.XSSRuntimeExtension.call(RenderContext, Object...)
and later:
org.apache.sling.xss.impl.XSSAPIImpl.filterHTML(String)
When this method is called with this String:
{code:html}
Is it a <span style="color:#e60000">threat</span> or an <span style="color:#e60000">opportunity</span>?<br>
Is it a threat or an opportunity?
{code}
will be turned into
{code:html}
Is it a <span style="color: rgb(230,0,0);">threat</span>
or an <span style="color: rgb(230,0,0);">opportunity</span>
?<br />
Is it a threat or an opportunity?
{code}
which leads to the problem, that there will be a space between the word opportunity and the question mark.
However, the formatting could be configured by changing the SLING-INF/content/config.xml
(from <directive name="formatOutput" value="true"/> to <directive name="formatOutput" value="false"/>)
But anyway the formatting shouldn't change the semantics, which why the formatting directive should be always false
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)