You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Konrad Windszus (JIRA)" <ji...@apache.org> on 2016/08/03 07:59:20 UTC
[jira] [Updated] (SLING-5944) Sightly doesn't allow to overwrite
the context for `data-sly-element`
[ https://issues.apache.org/jira/browse/SLING-5944?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Konrad Windszus updated SLING-5944:
-----------------------------------
Description:
For the following Sightly script
{code}
<a data-sly-element="${'invalidelement' @ context='unsafe'}"></a>
{code}
the generated Servlet looks like this
{code}
Object var_tagvar0 = renderContext.call("xss", renderContext.call("xss", "invalidelement", "unsafe"), "elementName");
if (RenderUtils.toBoolean(var_tagvar0)) {
out.write("<");
out.write(RenderUtils.toString(var_tagvar0));
}
if (!RenderUtils.toBoolean(var_tagvar0)) {
out.write("<a");
}
out.write(">");
if (RenderUtils.toBoolean(var_tagvar0)) {
out.write("</");
out.write(RenderUtils.toString(var_tagvar0));
out.write(">");
}
if (!RenderUtils.toBoolean(var_tagvar0)) {
out.write("</a>");
}
{code}
So the element name is XSS protected twice. First with 'unsafe' (which doesn't modify the given literal) and then with 'elementname', which removes the literal.
This contradicts the documentation at https://docs.adobe.com/docs/en/htl/docs/block-statements.html#element which says
{quote}
For security reasons, data-sly-element accepts only the following element names:
a abbr address article aside b bdi bdo blockquote br caption cite code col colgroup
data dd del dfn div dl dt em figcaption figure footer h1 h2 h3 h4 h5 h6 header i ins
kbd li main mark nav ol p pre q rp rt ruby s samp section small span strong sub
sup table tbody td tfoot th thead time tr u var wbr
To set other elements, XSS security must be turned off (@context='unsafe').
{quote}
The HTL spec only says
{quote}
The element name is automatically XSS-protected with the elementName context, which by the way doesn't allow elements like <script>, <style>, <form>, or <input> (see the Display Context section for the exact list).
{quote}
(https://github.com/Adobe-Marketing-Cloud/htl-spec/blob/master/SPECIFICATION.md#224-element).
I am wondering, if it really is just impossible to give out arbitrary tag names with {{data-sly-element}}.
IMHO if another context is given, that one should replace the "elementName" context, instead of being added on top.
was:
For the following Sightly script
{code}
<a data-sly-element="${'invalidelement' @ context='unsafe'}"></a>
{code}
the generated Servlet looks like this
{code}
Object var_tagvar0 = renderContext.call("xss", renderContext.call("xss", "invalidelement", "unsafe"), "elementName");
if (RenderUtils.toBoolean(var_tagvar0)) {
out.write("<");
out.write(RenderUtils.toString(var_tagvar0));
}
if (!RenderUtils.toBoolean(var_tagvar0)) {
out.write("<a");
}
out.write(">");
if (RenderUtils.toBoolean(var_tagvar0)) {
out.write("</");
out.write(RenderUtils.toString(var_tagvar0));
out.write(">");
}
if (!RenderUtils.toBoolean(var_tagvar0)) {
out.write("</a>");
}
{code}
So the element is XSS protected twice. First with 'unsafe' (which doesn't modify the given literal) and then with 'elementname'.
This contradicts the documentation at https://docs.adobe.com/docs/en/htl/docs/block-statements.html#element which says
{quote}
For security reasons, data-sly-element accepts only the following element names:
a abbr address article aside b bdi bdo blockquote br caption cite code col colgroup
data dd del dfn div dl dt em figcaption figure footer h1 h2 h3 h4 h5 h6 header i ins
kbd li main mark nav ol p pre q rp rt ruby s samp section small span strong sub
sup table tbody td tfoot th thead time tr u var wbr
To set other elements, XSS security must be turned off (@context='unsafe').
{quote}
The HTL spec only says
{quote}
The element name is automatically XSS-protected with the elementName context, which by the way doesn't allow elements like <script>, <style>, <form>, or <input> (see the Display Context section for the exact list).
{quote}
(https://github.com/Adobe-Marketing-Cloud/htl-spec/blob/master/SPECIFICATION.md#224-element).
I am wondering, if it really is just impossible to give out arbitrary tag names with {{data-sly-element}}.
> Sightly doesn't allow to overwrite the context for `data-sly-element`
> ---------------------------------------------------------------------
>
> Key: SLING-5944
> URL: https://issues.apache.org/jira/browse/SLING-5944
> Project: Sling
> Issue Type: Bug
> Components: Scripting
> Affects Versions: Scripting Sightly Engine 1.0.18
> Reporter: Konrad Windszus
>
> For the following Sightly script
> {code}
> <a data-sly-element="${'invalidelement' @ context='unsafe'}"></a>
> {code}
> the generated Servlet looks like this
> {code}
> Object var_tagvar0 = renderContext.call("xss", renderContext.call("xss", "invalidelement", "unsafe"), "elementName");
> if (RenderUtils.toBoolean(var_tagvar0)) {
> out.write("<");
> out.write(RenderUtils.toString(var_tagvar0));
> }
> if (!RenderUtils.toBoolean(var_tagvar0)) {
> out.write("<a");
> }
> out.write(">");
> if (RenderUtils.toBoolean(var_tagvar0)) {
> out.write("</");
> out.write(RenderUtils.toString(var_tagvar0));
> out.write(">");
> }
> if (!RenderUtils.toBoolean(var_tagvar0)) {
> out.write("</a>");
> }
> {code}
> So the element name is XSS protected twice. First with 'unsafe' (which doesn't modify the given literal) and then with 'elementname', which removes the literal.
> This contradicts the documentation at https://docs.adobe.com/docs/en/htl/docs/block-statements.html#element which says
> {quote}
> For security reasons, data-sly-element accepts only the following element names:
> a abbr address article aside b bdi bdo blockquote br caption cite code col colgroup
> data dd del dfn div dl dt em figcaption figure footer h1 h2 h3 h4 h5 h6 header i ins
> kbd li main mark nav ol p pre q rp rt ruby s samp section small span strong sub
> sup table tbody td tfoot th thead time tr u var wbr
> To set other elements, XSS security must be turned off (@context='unsafe').
> {quote}
> The HTL spec only says
> {quote}
> The element name is automatically XSS-protected with the elementName context, which by the way doesn't allow elements like <script>, <style>, <form>, or <input> (see the Display Context section for the exact list).
> {quote}
> (https://github.com/Adobe-Marketing-Cloud/htl-spec/blob/master/SPECIFICATION.md#224-element).
> I am wondering, if it really is just impossible to give out arbitrary tag names with {{data-sly-element}}.
> IMHO if another context is given, that one should replace the "elementName" context, instead of being added on top.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)