You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Radu Cotescu (JIRA)" <ji...@apache.org> on 2016/08/24 15:57:20 UTC

[jira] [Created] (SLING-6008) The display context cannot be overwritten for HTML attribute expressions

Radu Cotescu created SLING-6008:
-----------------------------------

             Summary: The display context cannot be overwritten for HTML attribute expressions
                 Key: SLING-6008
                 URL: https://issues.apache.org/jira/browse/SLING-6008
             Project: Sling
          Issue Type: Bug
          Components: Scripting
    Affects Versions: Scripting Sightly Engine 1.0.18
            Reporter: Radu Cotescu
            Assignee: Radu Cotescu
             Fix For: Scripting Sightly Engine 1.0.20, Scripting Sightly Compiler 1.0.0


The XSS display context cannot be overwritten any more for expressions that should generate the value of HTML attributes:

Markup:
{code:html}
<a data-sly-use.urltype="logic.js" href="${urltype.hrefValue @ context='unsafe'}">Click</a>
{code}

Logic:
{code:javascript}
use(function () {
    return {
        hrefValue: "$link.category('default','men','')"
    };
});
{code}

Current output:
{code:html}
<a href="$link.category(%27default%27,%27men%27,%27%27)">Click</a>
{code}

However, with {{context='unsafe'}}, the output should actually be:
{code:html}
<a href="$link.category('default','men','')">Click</a>
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)