Solved

Can we use @context='scriptComment' for including JS and html markup

Forum|Forum|4 years ago
August 17, 2021
2 replies
1532 views

Hi Team

As we should not use context=unsafe to prevent xss vulnerability , is it safe to use textarea field with values with some js code and html markup with context=scriptComment to prevent stripping of script tags

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by BrianKasingli

For HTML and JS, you should try using

${properties.customHTML @ context='html'}          <!--/* Use this in case you want to output HTML - Removes markup that may contain XSS risks */-->

${properties.cusomJS @ context='scriptString'}  <!--/* Applies JavaScript string escaping */-->

HTML Template Language Specification - https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md

Let me know how it goes,

Brian

B

BimmiSo

Adobe Employee

Hi @nehama ,

I dont think there should be any issue using context= scriptComments

${properties.jcr:title @ context='scriptComment'}

Hope this helps!!

Thanks

BrianKasingli

Accepted solution

Community Advisor and Adobe Champion

For HTML and JS, you should try using

${properties.customHTML @ context='html'}          <!--/* Use this in case you want to output HTML - Removes markup that may contain XSS risks */-->

${properties.cusomJS @ context='scriptString'}  <!--/* Applies JavaScript string escaping */-->

HTML Template Language Specification - https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md

Let me know how it goes,

Brian

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded