Hi
I use a lot of Javascript in custom components. Therefor I use custom properties that I added to the custom component's dialog.
I've found that all properties provided by the user via the component's dialog are encoded in the JSP:
name="${guide:encodeForHtmlAttr(guideField.name,xssAPI)}"
com.adobe.aemds.guide.taglibs.GuideELUtils provides
but does not provide methods for other encoding recommended by https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project How can I protect against XSS using the aem toolset? Thank you, Urs |
Solved! Go to Solution.
Views
Replies
Total Likes
Hi,
I guess xssAPI.encodeForJSString("") is what you are looking for.
Thanks,
Anshika
Views
Replies
Total Likes
Hi,
I guess xssAPI.encodeForJSString("") is what you are looking for.
Thanks,
Anshika
Views
Replies
Total Likes
Hi Anshika
thanks a lot.
That's what I was looking for.
Thanks,
Urs
Views
Replies
Total Likes
Hi Anshika,
sorry to come back to this issue I had no time before. How can I access xssAPI from within widget.jsp in AEM 6.1?
Thank you,
Urs
Views
Replies
Total Likes
Hi Urs,
The example you gave in your first comment already had the xssAPI instance so I assumed you already have access to it.
However, if you don't, you could either include <%@include file="/libs/granite/ui/global.jsp" %> or alternatively add <%@taglib prefix="cq" uri="http://www.day.com/taglibs/cq/1.0" %> in your jsp.
And in case you are asking how to use it within the script in your jsp, attaching a sample below :
<script>xyz.registerConfig("serverUrlConfig", {"contextPath" : "<%=xssAPI.encodeForJSString(contextPath)%>" } );</script>
Hope that helps.
Thanks,
Anshika
Views
Replies
Total Likes