Hey everyone,
I'm looking at some sightly HTL code and have a certain instance where we need to have a <script> tag and a <div> tag together to embed a wistia video. In order to do this I made a component so my editors can embed html directly and it is rendered on the page.
I can either do the @ context = 'html' to embed html directly, or the 'text' to render my javascript but there isn't something to embed them together other than 'unsafe'
What does this unsafe context mean? What would be unsafe about doing it this way? Is this a security vulnerability to embed things using this context? Or is it mostly 'unsafe' because editors can embed malformed html, scripts, and the api doesn't make everything match? It's only on my dev instance now.
Thanks for any suggestions on this!
Brendan
Solved! Go to Solution.
Views
Replies
Total Likes
HTL has inbuilt XSS protection rather than as before. So when you use context = 'unsafe' , it will completely disable the XSS protection. Once that is disabled your site may be vulnerable to cross site scripting through those unsafe properties.
htl-spec/SPECIFICATION.md at master · Adobe-Marketing-Cloud/htl-spec · GitHub
What is Cross-site Scripting and How Can You Fix it?
Thanks
Veena
HTL has inbuilt XSS protection rather than as before. So when you use context = 'unsafe' , it will completely disable the XSS protection. Once that is disabled your site may be vulnerable to cross site scripting through those unsafe properties.
htl-spec/SPECIFICATION.md at master · Adobe-Marketing-Cloud/htl-spec · GitHub
What is Cross-site Scripting and How Can You Fix it?
Thanks
Veena
Thanks for the reply Veena. I'll be sure to avoid it. So if we use 'unsafe' anywhere in a component it will disable XSS Protection on the entire site?
Views
Replies
Total Likes
Not 100% . But via that particular property your site will become vulnerable to XSS . Imagine somone adding a script to the dialog or anything like dat for that matter which may ultimately end up in your website and will make it vulnerable..
Views
Replies
Total Likes
It will not make entire site unsafe, but only those decorative tags or scripts that you are using with context as "unsafe". It is not recommended to use unsafe context that is one of the reasons why HTL is preferred over JSP as it avoid cross side scripting. There are lot of other context available which may fit your requirement just give them a try.
Views
Replies
Total Likes
Thanks for your replies all! I was able to use @content = 'scriptComment' to embed our wistia video. It looks like that was the way to embed both of them successfully.
Views
Likes
Replies