You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Vlad Bailescu (JIRA)" <ji...@apache.org> on 2015/02/06 17:16:36 UTC
[jira] [Reopened] (SLING-4176) Sightly: StyleToken context is doing
nothing
[ https://issues.apache.org/jira/browse/SLING-4176?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vlad Bailescu reopened SLING-4176:
----------------------------------
I just realized there's one case where we fail to offer XSS protection:
{{url("javascript:alert(1)")}}
I've prepared a patch for this case too.
> Sightly: StyleToken context is doing nothing
> --------------------------------------------
>
> Key: SLING-4176
> URL: https://issues.apache.org/jira/browse/SLING-4176
> Project: Sling
> Issue Type: Bug
> Components: Extensions, Scripting
> Reporter: Vlad Bailescu
> Assignee: Felix Meschberger
> Priority: Minor
> Labels: Sightly
> Fix For: XSS Protection API 1.0.0, Scripting Sightly Engine 1.0.0
>
>
> The context='styleToken' expression option doesn't seem to be doing anything (it seems to work as context='unsafe'). Similarly to scriptToken, this should actually be a validator that only allows following CSS tokens:
> - Identifiers, e.g.: red, or -moz-box-sizing
> - Numbers and dimensions, e.g.: 42, 42deg, .42s or 42%
> - Strings, e.g.: "it's there"
> - Hex colors, e.g.: #fff
> - Functions (making sure to have matching parenthesis!), e.g.: rgba(20%, 20%, 100%, 0.02), or url('data:image/png;base64,iVB...')
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)