How can I encode Javascript snippets in widget.jsp?

urs_h_ 21-11-2016


I use a lot of Javascript in custom components. Therefor I use custom properties that I added to the custom component's dialog. 

I've found that all properties provided by the user via the component's dialog are encoded in the JSP:

name="${guide:encodeForHtmlAttr(,xssAPI)}" provides 



encodeForHtml(String str, XSSAPI xssapi) 

encodeForHtmlAttr(String str, XSSAPI xssapi) 

but does not provide methods for other encoding recommended by

How can I protect against XSS using the aem toolset?

Thank you, 


Answers (3)

Answers (3)

anshikagarwal 23-11-2016

Hi Urs,

The example you gave in your first comment already had the xssAPI instance so I assumed you already have access to it.

However, if you don't, you could either include <%@include file="/libs/granite/ui/global.jsp" %>  or alternatively add  <%@taglib prefix="cq" uri="" %> in your jsp.

And in case you are asking how to use it within the script in your jsp, attaching a sample below :

<script>xyz.registerConfig("serverUrlConfig", {"contextPath" : "<%=xssAPI.encodeForJSString(contextPath)%>"      } );</script>

Hope that helps.



urs_h_ 23-11-2016

Hi Anshika,

sorry to come back to this issue I had no time before. How can I access xssAPI from within widget.jsp in AEM 6.1? 

Thank you,