Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Can we use @context='scriptComment' for including JS and html markup

NehaCMS
Level 4
Level 4

Hi Team

 

As we should not use context=unsafe to prevent xss vulnerability , is it safe to use textarea field with values with some js code and html markup with context=scriptComment to prevent stripping of script tags

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution
BrianKasingli
Correct answer by
Community Advisor
Community Advisor

For HTML and JS, you should try using

${properties.customHTML @ context='html'}          <!--/* Use this in case you want to output HTML - Removes markup that may contain XSS risks */-->
${properties.cusomJS @ context='scriptString'}  <!--/* Applies JavaScript string escaping */-->

HTML Template Language Specification - https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md

Let me know how it goes,

Brian

View solution in original post

0 Replies
Bimmi_Soi
Community Advisor
Community Advisor

Hi @NehaCMS ,

 

I dont think there should be any issue using context= scriptComments

 

${properties.jcr:title @ context='scriptComment'} <!--/* Context for Javascript block comments. Outputs nothing if value break out of the comment context */-->

 

Hope this helps!!

Thanks

BrianKasingli
Correct answer by
Community Advisor
Community Advisor

For HTML and JS, you should try using

${properties.customHTML @ context='html'}          <!--/* Use this in case you want to output HTML - Removes markup that may contain XSS risks */-->
${properties.cusomJS @ context='scriptString'}  <!--/* Applies JavaScript string escaping */-->

HTML Template Language Specification - https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md

Let me know how it goes,

Brian

View solution in original post