Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

AEM sightly - what is unsafe about using the 'unsafe' context

Avatar

Level 4

Hey everyone,

I'm looking at some sightly HTL code and have a certain instance where we need to have a <script> tag and a <div> tag together to embed a wistia video. In order to do this I made a component so my editors can embed html directly and it is rendered on the page.

I can either do the @ context = 'html' to embed html directly, or the 'text' to render my javascript but there isn't something to embed them together other than 'unsafe'

What does this unsafe context mean? What would be unsafe about doing it this way? Is this a security vulnerability to embed things using this context? Or is it mostly 'unsafe' because editors can embed malformed html, scripts, and the api doesn't make everything match? It's only on my dev instance now.

Thanks for any suggestions on this!

Brendan

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

HTL has inbuilt XSS protection rather than as before. So when you use context = 'unsafe' , it will completely disable the XSS protection. Once that is disabled your site may be vulnerable to cross site scripting through those unsafe properties.

htl-spec/SPECIFICATION.md at master · Adobe-Marketing-Cloud/htl-spec · GitHub

What is Cross-site Scripting and How Can You Fix it?

Thanks

Veena

View solution in original post

0 Replies

Avatar

Correct answer by
Community Advisor

HTL has inbuilt XSS protection rather than as before. So when you use context = 'unsafe' , it will completely disable the XSS protection. Once that is disabled your site may be vulnerable to cross site scripting through those unsafe properties.

htl-spec/SPECIFICATION.md at master · Adobe-Marketing-Cloud/htl-spec · GitHub

What is Cross-site Scripting and How Can You Fix it?

Thanks

Veena

Avatar

Level 4

Thanks for the reply Veena. I'll be sure to avoid it. So if we use 'unsafe' anywhere in a component it will disable XSS Protection on the entire site?

Avatar

Community Advisor

Not 100% . But via that particular property your site will become vulnerable to XSS . Imagine somone adding a script to the dialog or anything like dat for that matter which may ultimately end up in your website and will make it vulnerable..

Avatar

Level 7

It will not make entire site unsafe, but only those decorative tags or scripts that you are using with context as "unsafe". It is not recommended to use unsafe context that is one of the reasons why HTL is preferred over JSP as it avoid cross side scripting. There are lot of other context available which may fit your requirement just give them a try.

Avatar

Level 4

Thanks for your replies all! I was able to use @content = 'scriptComment' to embed our wistia video. It looks like that was the way to embed both of them successfully.