Expand my Community achievements bar.

SOLVED

AEM sightly - what is unsafe about using the 'unsafe' context

Avatar

Level 4
Level 4
10/10/17 2:27:03 PM

Hey everyone,

I'm looking at some sightly HTL code and have a certain instance where we need to have a <script> tag and a <div> tag together to embed a wistia video. In order to do this I made a component so my editors can embed html directly and it is rendered on the page.

I can either do the @ context = 'html' to embed html directly, or the 'text' to render my javascript but there isn't something to embed them together other than 'unsafe'

What does this unsafe context mean? What would be unsafe about doing it this way? Is this a security vulnerability to embed things using this context? Or is it mostly 'unsafe' because editors can embed malformed html, scripts, and the api doesn't make everything match? It's only on my dev instance now.

Thanks for any suggestions on this!

Brendan

Views

12.9K

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
10/10/17 2:40:16 PM

HTL has inbuilt XSS protection rather than as before. So when you use context = 'unsafe' , it will completely disable the XSS protection. Once that is disabled your site may be vulnerable to cross site scripting through those unsafe properties.

htl-spec/SPECIFICATION.md at master · Adobe-Marketing-Cloud/htl-spec · GitHub

What is Cross-site Scripting and How Can You Fix it?

Thanks

Veena

View solution in original post

Views

8.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
5 Replies

Avatar

Correct answer by
Community Advisor
Community Advisor
10/10/17 2:40:16 PM

HTL has inbuilt XSS protection rather than as before. So when you use context = 'unsafe' , it will completely disable the XSS protection. Once that is disabled your site may be vulnerable to cross site scripting through those unsafe properties.

htl-spec/SPECIFICATION.md at master · Adobe-Marketing-Cloud/htl-spec · GitHub

What is Cross-site Scripting and How Can You Fix it?

Thanks

Veena

Views

8.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 4
Level 4
10/10/17 2:50:45 PM

Thanks for the reply Veena. I'll be sure to avoid it. So if we use 'unsafe' anywhere in a component it will disable XSS Protection on the entire site?

Views

8.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
10/10/17 7:50:10 PM

Not 100% . But via that particular property your site will become vulnerable to XSS . Imagine somone adding a script to the dialog or anything like dat for that matter which may ultimately end up in your website and will make it vulnerable..

Views

8.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 7
Level 7
10/10/17 9:12:46 PM

It will not make entire site unsafe, but only those decorative tags or scripts that you are using with context as "unsafe". It is not recommended to use unsafe context that is one of the reasons why HTL is preferred over JSP as it avoid cross side scripting. There are lot of other context available which may fit your requirement just give them a try.

Views

8.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
10/11/17 8:32:24 AM

Thanks for your replies all! I was able to use @content = 'scriptComment' to embed our wistia video. It looks like that was the way to embed both of them successfully.

Views

8.7K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate