You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Radu Cotescu (JIRA)" <ji...@apache.org> on 2016/08/24 15:57:20 UTC
[jira] [Created] (SLING-6008) The display context cannot be
overwritten for HTML attribute expressions
Radu Cotescu created SLING-6008:
-----------------------------------
Summary: The display context cannot be overwritten for HTML attribute expressions
Key: SLING-6008
URL: https://issues.apache.org/jira/browse/SLING-6008
Project: Sling
Issue Type: Bug
Components: Scripting
Affects Versions: Scripting Sightly Engine 1.0.18
Reporter: Radu Cotescu
Assignee: Radu Cotescu
Fix For: Scripting Sightly Engine 1.0.20, Scripting Sightly Compiler 1.0.0
The XSS display context cannot be overwritten any more for expressions that should generate the value of HTML attributes:
Markup:
{code:html}
<a data-sly-use.urltype="logic.js" href="${urltype.hrefValue @ context='unsafe'}">Click</a>
{code}
Logic:
{code:javascript}
use(function () {
return {
hrefValue: "$link.category('default','men','')"
};
});
{code}
Current output:
{code:html}
<a href="$link.category(%27default%27,%27men%27,%27%27)">Click</a>
{code}
However, with {{context='unsafe'}}, the output should actually be:
{code:html}
<a href="$link.category('default','men','')">Click</a>
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)