Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

How can I encode Javascript snippets in widget.jsp?

urs_h_
Level 3
Level 3

Hi 

I use a lot of Javascript in custom components. Therefor I use custom properties that I added to the custom component's dialog. 

I've found that all properties provided by the user via the component's dialog are encoded in the JSP:

name="${guide:encodeForHtmlAttr(guideField.name,xssAPI)}"

com.adobe.aemds.guide.taglibs.GuideELUtils provides 

 

    

encodeForHtml(String str, XSSAPI xssapi) 

encodeForHtmlAttr(String str, XSSAPI xssapi) 

but does not provide methods for other encoding recommended by https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project

How can I protect against XSS using the aem toolset?

Thank you, 

Urs

1 Accepted Solution
anshikagarwal
Correct answer by
Level 2
Level 2
4 Replies
anshikagarwal
Correct answer by
Level 2
Level 2
urs_h_
Level 3
Level 3

Hi Anshika

thanks a lot.

That's what I was looking for. 

Thanks,

Urs

urs_h_
Level 3
Level 3

Hi Anshika,

sorry to come back to this issue I had no time before. How can I access xssAPI from within widget.jsp in AEM 6.1? 

Thank you,

Urs

anshikagarwal
Level 2
Level 2

Hi Urs,

The example you gave in your first comment already had the xssAPI instance so I assumed you already have access to it.

However, if you don't, you could either include <%@include file="/libs/granite/ui/global.jsp" %>  or alternatively add  <%@taglib prefix="cq" uri="http://www.day.com/taglibs/cq/1.0" %> in your jsp.

And in case you are asking how to use it within the script in your jsp, attaching a sample below :

<script>xyz.registerConfig("serverUrlConfig", {"contextPath" : "<%=xssAPI.encodeForJSString(contextPath)%>"      } );</script>

Hope that helps.

Thanks,

Anshika