Expand my Community achievements bar.

SOLVED

How can I encode Javascript snippets in widget.jsp?

Avatar

Level 3
Level 3
11/21/16 5:32:08 AM

Hi 

I use a lot of Javascript in custom components. Therefor I use custom properties that I added to the custom component's dialog. 

I've found that all properties provided by the user via the component's dialog are encoded in the JSP:

name="${guide:encodeForHtmlAttr(guideField.name,xssAPI)}"

com.adobe.aemds.guide.taglibs.GuideELUtils provides 

 

    

encodeForHtml(String str, XSSAPI xssapi) 

encodeForHtmlAttr(String str, XSSAPI xssapi) 

but does not provide methods for other encoding recommended by https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project

How can I protect against XSS using the aem toolset?

Thank you, 

Urs

Views

2.2K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 2
Level 2
11/21/16 8:41:33 AM

Hi,

I guess xssAPI.encodeForJSString("") is what you are looking for.

https://docs.adobe.com/docs/en/cq/5-6-1/javadoc/com/adobe/granite/xss/XSSAPI.html#encodeForJSString(...)

Thanks,

Anshika

View solution in original post

Views

1.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Correct answer by
Level 2
Level 2
11/21/16 8:41:33 AM

Hi,

I guess xssAPI.encodeForJSString("") is what you are looking for.

https://docs.adobe.com/docs/en/cq/5-6-1/javadoc/com/adobe/granite/xss/XSSAPI.html#encodeForJSString(...)

Thanks,

Anshika

Views

1.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 3
Level 3
11/21/16 8:47:06 AM

Hi Anshika

thanks a lot.

That's what I was looking for. 

Thanks,

Urs

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
11/23/16 5:02:03 AM

Hi Anshika,

sorry to come back to this issue I had no time before. How can I access xssAPI from within widget.jsp in AEM 6.1? 

Thank you,

Urs

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
11/23/16 5:49:40 AM

Hi Urs,

The example you gave in your first comment already had the xssAPI instance so I assumed you already have access to it.

However, if you don't, you could either include <%@include file="/libs/granite/ui/global.jsp" %>  or alternatively add  <%@taglib prefix="cq" uri="http://www.day.com/taglibs/cq/1.0" %> in your jsp.

And in case you are asking how to use it within the script in your jsp, attaching a sample below :

<script>xyz.registerConfig("serverUrlConfig", {"contextPath" : "<%=xssAPI.encodeForJSString(contextPath)%>"      } );</script>

Hope that helps.

Thanks,

Anshika

Views

1.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Different font in pdf generated through outputservice in adobe live cycle Solved

Views

191

Likes

0

Replies

5
Different Response code of process design REST API in browser & postman - adobe live cycle

Views

42

Likes

0

Replies

0
Cell in subform not sizing properly

Views

186

Likes

0

Replies

3
unable to create forms theme getting console error and if editing existing theme getting blank page showing jcr:Content not found in error log

Views

106

Likes

0

Replies

1
How to setup password complexity for users in AEM Forms - Document Security

Views

95

Likes

0

Replies

0