[jira] [Commented] (SLING-6959) XssProtection changes html semantic caused by formatting

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

[jira] [Commented] (SLING-6959) XssProtection changes html semantic caused by formatting

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/SLING-6959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16051727#comment-16051727 ]

Konrad Windszus commented on SLING-6959:

Indeed I think it is. Please try out the XSS Protection Bundle 1.0.6.

> XssProtection changes html semantic caused by formatting
> --------------------------------------------------------
>                 Key: SLING-6959
>                 URL: https://issues.apache.org/jira/browse/SLING-6959
>             Project: Sling
>          Issue Type: Bug
>    Affects Versions: XSS Protection API 1.0.2, Scripting Sightly Engine 1.0.2
>         Environment: AEM
>            Reporter: Lukas Kummer
>            Priority: Minor
>         Attachments: space.png
> When using sightly the following html:
> {code:html}
> <td class="infoline" > ${component.infoline @ context='html'} </td>
> {code}
> it will be compiled to:
> {code:java}
> String var_28 = ((" "+renderContext.toString(renderContext.call("xss", renderContext.resolveProperty(_global_component, "infoline"), "html")))+" ");
> {code}
> which calls
> org.apache.sling.scripting.sightly.impl.engine.extension.XSSRuntimeExtension.call(RenderContext, Object...)
> and later:
> org.apache.sling.xss.impl.XSSAPIImpl.filterHTML(String)
> When this method is called with this String:
> {code:html}
> Is it a <span style="color:#e60000">threat</span> or an <span style="color:#e60000">opportunity</span>?<br>
> Is it a threat or an opportunity?
> {code}
> will be turned into
> {code:html}
> Is it a <span style="color: rgb(230,0,0);">threat</span>
>  or an <span style="color: rgb(230,0,0);">opportunity</span>
> ?<br />
> Is it a threat or an opportunity?
> {code}
> which leads to the problem, that there will be a space between the word opportunity and the question mark.
> However, the formatting could be configured by changing the SLING-INF/content/config.xml
> (from <directive name="formatOutput" value="true"/> to <directive name="formatOutput" value="false"/>)
> But anyway the formatting shouldn't change the semantics, which why the formatting directive should be always false

This message was sent by Atlassian JIRA