AEM sightly - what is unsafe about using the 'unsafe' context | Community
Skip to main content
brendanf9753525
brendanf9753525
Level 4
October 10, 2017
Solved

AEM sightly - what is unsafe about using the 'unsafe' context

  • October 10, 2017
  • 5 replies
  • 16764 views

Hey everyone,

I'm looking at some sightly HTL code and have a certain instance where we need to have a <script> tag and a <div> tag together to embed a wistia video. In order to do this I made a component so my editors can embed html directly and it is rendered on the page.

I can either do the @ context = 'html' to embed html directly, or the 'text' to render my javascript but there isn't something to embed them together other than 'unsafe'

What does this unsafe context mean? What would be unsafe about doing it this way? Is this a security vulnerability to embed things using this context? Or is it mostly 'unsafe' because editors can embed malformed html, scripts, and the api doesn't make everything match? It's only on my dev instance now.

Thanks for any suggestions on this!

Brendan

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by VeenaVikraman

HTL has inbuilt XSS protection rather than as before. So when you use context = 'unsafe' , it will completely disable the XSS protection. Once that is disabled your site may be vulnerable to cross site scripting through those unsafe properties.

htl-spec/SPECIFICATION.md at master · Adobe-Marketing-Cloud/htl-spec · GitHub

What is Cross-site Scripting and How Can You Fix it?

Thanks

Veena

5 replies

VeenaVikraman
Community Advisor
VeenaVikramanCommunity AdvisorAccepted solution
Community Advisor
October 10, 2017

HTL has inbuilt XSS protection rather than as before. So when you use context = 'unsafe' , it will completely disable the XSS protection. Once that is disabled your site may be vulnerable to cross site scripting through those unsafe properties.

htl-spec/SPECIFICATION.md at master · Adobe-Marketing-Cloud/htl-spec · GitHub

What is Cross-site Scripting and How Can You Fix it?

Thanks

Veena

    brendanf9753525
    brendanf9753525Author
    Level 4
    October 10, 2017

    Thanks for the reply Veena. I'll be sure to avoid it. So if we use 'unsafe' anywhere in a component it will disable XSS Protection on the entire site?

    VeenaVikraman
    Community Advisor
    VeenaVikramanCommunity Advisor
    Community Advisor
    October 11, 2017

    Not 100% . But via that particular property your site will become vulnerable to XSS . Imagine somone adding a script to the dialog or anything like dat for that matter which may ultimately end up in your website and will make it vulnerable..

    AnkurAhlawat-1
    AnkurAhlawat-1
    Level 6
    October 11, 2017

    It will not make entire site unsafe, but only those decorative tags or scripts that you are using with context as "unsafe". It is not recommended to use unsafe context that is one of the reasons why HTL is preferred over JSP as it avoid cross side scripting. There are lot of other context available which may fit your requirement just give them a try.

    brendanf9753525
    brendanf9753525Author
    Level 4
    October 11, 2017

    Thanks for your replies all! I was able to use @content = 'scriptComment' to embed our wistia video. It looks like that was the way to embed both of them successfully.

      Terms & ConditionsAccessibility statement

      Loading footer...