Adobe Experience Manager Sites & More

brendanf9753525 · 10/10/17

Hey everyone,

I'm looking at some sightly HTL code and have a certain instance where we need to have a <script> tag and a <div> tag together to embed a wistia video. In order to do this I made a component so my editors can embed html directly and it is rendered on the page.

I can either do the @ context = 'html' to embed html directly, or the 'text' to render my javascript but there isn't something to embed them together other than 'unsafe'

What does this unsafe context mean? What would be unsafe about doing it this way? Is this a security vulnerability to embed things using this context? Or is it mostly 'unsafe' because editors can embed malformed html, scripts, and the api doesn't make everything match? It's only on my dev instance now.

Thanks for any suggestions on this!

Brendan

VeenaVikraman · 10/10/17

HTL has inbuilt XSS protection rather than as before. So when you use context = 'unsafe' , it will completely disable the XSS protection. Once that is disabled your site may be vulnerable to cross site scripting through those unsafe properties.

htl-spec/SPECIFICATION.md at master · Adobe-Marketing-Cloud/htl-spec · GitHub

What is Cross-site Scripting and How Can You Fix it?

Thanks

Veena

View solution in original post

VeenaVikraman · 10/10/17

HTL has inbuilt XSS protection rather than as before. So when you use context = 'unsafe' , it will completely disable the XSS protection. Once that is disabled your site may be vulnerable to cross site scripting through those unsafe properties.

htl-spec/SPECIFICATION.md at master · Adobe-Marketing-Cloud/htl-spec · GitHub

What is Cross-site Scripting and How Can You Fix it?

Thanks

Veena

brendanf9753525 · 10/10/17

Thanks for the reply Veena. I'll be sure to avoid it. So if we use 'unsafe' anywhere in a component it will disable XSS Protection on the entire site?

VeenaVikraman · 10/10/17

Not 100% . But via that particular property your site will become vulnerable to XSS . Imagine somone adding a script to the dialog or anything like dat for that matter which may ultimately end up in your website and will make it vulnerable..

AnkurAhlawat · 10/10/17

It will not make entire site unsafe, but only those decorative tags or scripts that you are using with context as "unsafe". It is not recommended to use unsafe context that is one of the reasons why HTL is preferred over JSP as it avoid cross side scripting. There are lot of other context available which may fit your requirement just give them a try.

brendanf9753525 · 10/11/17

Thanks for your replies all! I was able to use @content = 'scriptComment' to embed our wistia video. It looks like that was the way to embed both of them successfully.

Adobe Experience Manager Sites & More

AEM sightly - what is unsafe about using the 'unsafe' context

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe