Expand my Community achievements bar.

SOLVED

HTL context override on data-sly-attribute.href

Avatar

Level 5
Level 5
12/9/22 9:40:39 AM

good morning.

 

I am working on part of a script that outputs search results and includes links to reorder these results using data-sly-attribute.href properties on <a> links.

 

I have found that the values trigger the XSS detection in HTL and removes the attribute. I have some test code below that demonstrate these cases

 

As you can see, when I use context='unsafe' the code displays, but not on the data-sly-attribute.href of the <a>. It seems like the implicit context='uri' that is set on the href overrides the passed unsafe context.

 

I have 2 questions.

1. Is this the correct behavior? It seems that the context passed by the expression should overrule the default context.

2. Can anyone point me to documentation to configure the xss api to accespt these uri's?

 

Thanks

 

 

 

<sly data-sly-list.orderByOption="${articleList.orderByOptions}">
    <li>
        <pre>
        uri: ${'{0}.html?{1}' @ format=[resource.path,orderByOption.queryString], context='uri'},
        unsafe: ${'{0}.html?{1}' @ format=[resource.path,orderByOption.queryString], context='unsafe'}
        </pre>
        <a data-sly-attribute.href="${'{0}.html?{1}' @ format=[resource.path,orderByOption.queryString], context='unsafe'}"
           data-sly-attribute.class="${'{0}' @ format=[orderByOption.text == articleList.activeOrderByOption.text ? 'active' : '']}"
           data-orderby="${orderByOption.orderBy}"
           data-orderby-sort="${orderByOption.orderBySort}">${orderByOption.text}</a>
    </li>
</sly>

 

 

results in:

 

 

                    <li> 
                        <pre>
                        uri: ,
                        unsafe: /content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:content/dispDate]&orderBySort=desc
                        </pre>
                        <a data-orderby="story.[jcr:content/dispDate]" data-orderby-sort="desc" class="active">Newest First</a>
                    </li>
                
                    <li> 
                        <pre>
                        uri: ,
                        unsafe: /content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:content/dispDate]&orderBySort=asc
                        </pre>
                        <a data-orderby="story.[jcr:content/dispDate]" data-orderby-sort="asc">Oldest First</a>
                    </li>
                
                    <li> 
                        <pre>
                        uri: ,
                        unsafe: /content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:score]&orderBySort=desc
                        </pre>
                        <a data-orderby="story.[jcr:score]" data-orderby-sort="desc">Best Match First</a>
                    </li>
                
                    <li> 
                        <pre>
                        uri: ,
                        unsafe: /content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:score]&orderBySort=asc
                        </pre>
                        <a data-orderby="story.[jcr:score]" data-orderby-sort="asc">Worst Match First Descending</a>
                    </li>

 

 

 

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

HTL or HTML Template Language

Views

1.2K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
12/10/22 1:51:15 PM

Hi @B_Stockwell,

Let me first try quickly answer your questions, and next elaborate a bit more about potential solution.

1. Is this the correct behavior? It seems that the context passed by the expression should overrule the default context.

In my opinion this is correct behavior, at least looking into what has been written in HTL specification - Display Context

 

${properties.jcr:title @ context='uri'}           <!--/* Outputs nothing if the value contains XSS risks */-->

2. Can anyone point me to documentation to configure the xss api to accespt these uri's?

I do not think you should manipulate/change xss api rules. I think this will be rather a workaround then a proper solution.

In general you should have a closer look into options described in URI Manipulation section of HTL specification. Especially section about query looks interesting.

query.png

In other words you should use query attribute together with context='uri' to get expected result.

I did a short test on my own, and I have found one issue in your query string format. But lets have a closer look into scenarios I have checked.

  1. Using only context='uri' - this will not work - as you already pointed out
    ${'/content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:content/dispDate]&orderBySort=desc' @ context='uri'}
  2. Using context='unsafe' only - will work - but is rather a workaround
    ${'/content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:content/dispDate]&orderBySort=desc' @ context='unsafe'}
  3. Using context='uri' and query attribute - surprisingly this did not work as well
    ${'/content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:content/dispDate]&orderBySort=desc' @ context='uri', query}
    The reason why this combination is not working, is a fact that you are using reserved characters in your query, which are [ and ]. Please have a look into reserved characters section from RFC - https://www.rfc-editor.org/rfc/rfc3986#section-2.2
    If you will change query format and remove square brackets or encode them properly combination of context='uri' and query will work correctly and you will see url with query params. I checked something like this and it worked.
     
    ${'/content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.jcr:content/dispDate&orderBySort=desc' @ context='uri', query

Summarizing if you are using contex='uri', then query attribute should be the option to be used for getting query string to be displayed.

View solution in original post

Views

1.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Correct answer by
Community Advisor
Community Advisor
12/10/22 1:51:15 PM

Hi @B_Stockwell,

Let me first try quickly answer your questions, and next elaborate a bit more about potential solution.

1. Is this the correct behavior? It seems that the context passed by the expression should overrule the default context.

In my opinion this is correct behavior, at least looking into what has been written in HTL specification - Display Context

 

${properties.jcr:title @ context='uri'}           <!--/* Outputs nothing if the value contains XSS risks */-->

2. Can anyone point me to documentation to configure the xss api to accespt these uri's?

I do not think you should manipulate/change xss api rules. I think this will be rather a workaround then a proper solution.

In general you should have a closer look into options described in URI Manipulation section of HTL specification. Especially section about query looks interesting.

query.png

In other words you should use query attribute together with context='uri' to get expected result.

I did a short test on my own, and I have found one issue in your query string format. But lets have a closer look into scenarios I have checked.

  1. Using only context='uri' - this will not work - as you already pointed out
    ${'/content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:content/dispDate]&orderBySort=desc' @ context='uri'}
  2. Using context='unsafe' only - will work - but is rather a workaround
    ${'/content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:content/dispDate]&orderBySort=desc' @ context='unsafe'}
  3. Using context='uri' and query attribute - surprisingly this did not work as well
    ${'/content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:content/dispDate]&orderBySort=desc' @ context='uri', query}
    The reason why this combination is not working, is a fact that you are using reserved characters in your query, which are [ and ]. Please have a look into reserved characters section from RFC - https://www.rfc-editor.org/rfc/rfc3986#section-2.2
    If you will change query format and remove square brackets or encode them properly combination of context='uri' and query will work correctly and you will see url with query params. I checked something like this and it worked.
     
    ${'/content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.jcr:content/dispDate&orderBySort=desc' @ context='uri', query

Summarizing if you are using contex='uri', then query attribute should be the option to be used for getting query string to be displayed.

Views

1.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Community Advisor
Community Advisor
12/11/22 7:12:09 AM

Hi,

I think the issue with the

story.[jcr:content/dispDate]

part of your returned query string, If you removed that it works, see below

 

arunpatidar_0-1670771426388.png

 

To fix this issue you must return the actual value from backedn rather than using HTL expression inside query string.

 



Arun Patidar

Views

1.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate