Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

How can I encode Javascript snippets in widget.jsp?

Avatar

Avatar
Validate 1
Level 2
urs_h_
Level 2

Likes

5 likes

Total Posts

42 posts

Correct reply

6 solutions
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
Affirm 5
View profile

Avatar
Validate 1
Level 2
urs_h_
Level 2

Likes

5 likes

Total Posts

42 posts

Correct reply

6 solutions
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
Affirm 5
View profile
urs_h_
Level 2

21-11-2016

Hi 

I use a lot of Javascript in custom components. Therefor I use custom properties that I added to the custom component's dialog. 

I've found that all properties provided by the user via the component's dialog are encoded in the JSP:

name="${guide:encodeForHtmlAttr(guideField.name,xssAPI)}"

com.adobe.aemds.guide.taglibs.GuideELUtils provides 

 

    

encodeForHtml(String str, XSSAPI xssapi) 

encodeForHtmlAttr(String str, XSSAPI xssapi) 

but does not provide methods for other encoding recommended by https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project

How can I protect against XSS using the aem toolset?

Thank you, 

Urs

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Boost 1
Level 2
anshikagarwal
Level 2

Likes

2 likes

Total Posts

12 posts

Correct reply

2 solutions
Top badges earned
Boost 1
Affirm 1
View profile

Avatar
Boost 1
Level 2
anshikagarwal
Level 2

Likes

2 likes

Total Posts

12 posts

Correct reply

2 solutions
Top badges earned
Boost 1
Affirm 1
View profile
anshikagarwal
Level 2

21-11-2016

Hi,

I guess xssAPI.encodeForJSString("") is what you are looking for.

https://docs.adobe.com/docs/en/cq/5-6-1/javadoc/com/adobe/granite/xss/XSSAPI.html#encodeForJSString(...)

Thanks,

Anshika

Answers (3)

Answers (3)

Avatar

Avatar
Boost 1
Level 2
anshikagarwal
Level 2

Likes

2 likes

Total Posts

12 posts

Correct reply

2 solutions
Top badges earned
Boost 1
Affirm 1
View profile

Avatar
Boost 1
Level 2
anshikagarwal
Level 2

Likes

2 likes

Total Posts

12 posts

Correct reply

2 solutions
Top badges earned
Boost 1
Affirm 1
View profile
anshikagarwal
Level 2

23-11-2016

Hi Urs,

The example you gave in your first comment already had the xssAPI instance so I assumed you already have access to it.

However, if you don't, you could either include <%@include file="/libs/granite/ui/global.jsp" %>  or alternatively add  <%@taglib prefix="cq" uri="http://www.day.com/taglibs/cq/1.0" %> in your jsp.

And in case you are asking how to use it within the script in your jsp, attaching a sample below :

<script>xyz.registerConfig("serverUrlConfig", {"contextPath" : "<%=xssAPI.encodeForJSString(contextPath)%>"      } );</script>

Hope that helps.

Thanks,

Anshika

Avatar

Avatar
Validate 1
Level 2
urs_h_
Level 2

Likes

5 likes

Total Posts

42 posts

Correct reply

6 solutions
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
Affirm 5
View profile

Avatar
Validate 1
Level 2
urs_h_
Level 2

Likes

5 likes

Total Posts

42 posts

Correct reply

6 solutions
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
Affirm 5
View profile
urs_h_
Level 2

23-11-2016

Hi Anshika,

sorry to come back to this issue I had no time before. How can I access xssAPI from within widget.jsp in AEM 6.1? 

Thank you,

Urs

Avatar

Avatar
Validate 1
Level 2
urs_h_
Level 2

Likes

5 likes

Total Posts

42 posts

Correct reply

6 solutions
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
Affirm 5
View profile

Avatar
Validate 1
Level 2
urs_h_
Level 2

Likes

5 likes

Total Posts

42 posts

Correct reply

6 solutions
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
Affirm 5
View profile
urs_h_
Level 2

21-11-2016

Hi Anshika

thanks a lot.

That's what I was looking for. 

Thanks,

Urs