good morning.
I am working on part of a script that outputs search results and includes links to reorder these results using data-sly-attribute.href properties on <a> links.
I have found that the values trigger the XSS detection in HTL and removes the attribute. I have some test code below that demonstrate these cases
As you can see, when I use context='unsafe' the code displays, but not on the data-sly-attribute.href of the <a>. It seems like the implicit context='uri' that is set on the href overrides the passed unsafe context.
I have 2 questions.
1. Is this the correct behavior? It seems that the context passed by the expression should overrule the default context.
2. Can anyone point me to documentation to configure the xss api to accespt these uri's?
Thanks
<sly data-sly-list.orderByOption="${articleList.orderByOptions}">
<li>
<pre>
uri: ${'{0}.html?{1}' @ format=[resource.path,orderByOption.queryString], context='uri'},
unsafe: ${'{0}.html?{1}' @ format=[resource.path,orderByOption.queryString], context='unsafe'}
</pre>
<a data-sly-attribute.href="${'{0}.html?{1}' @ format=[resource.path,orderByOption.queryString], context='unsafe'}"
data-sly-attribute.class="${'{0}' @ format=[orderByOption.text == articleList.activeOrderByOption.text ? 'active' : '']}"
data-orderby="${orderByOption.orderBy}"
data-orderby-sort="${orderByOption.orderBySort}">${orderByOption.text}</a>
</li>
</sly>
results in:
<li>
<pre>
uri: ,
unsafe: /content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:content/dispDate]&orderBySort=desc
</pre>
<a data-orderby="story.[jcr:content/dispDate]" data-orderby-sort="desc" class="active">Newest First</a>
</li>
<li>
<pre>
uri: ,
unsafe: /content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:content/dispDate]&orderBySort=asc
</pre>
<a data-orderby="story.[jcr:content/dispDate]" data-orderby-sort="asc">Oldest First</a>
</li>
<li>
<pre>
uri: ,
unsafe: /content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:score]&orderBySort=desc
</pre>
<a data-orderby="story.[jcr:score]" data-orderby-sort="desc">Best Match First</a>
</li>
<li>
<pre>
uri: ,
unsafe: /content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:score]&orderBySort=asc
</pre>
<a data-orderby="story.[jcr:score]" data-orderby-sort="asc">Worst Match First Descending</a>
</li>
Solved! Go to Solution.
Topics help categorize Community content and increase your ability to discover relevant content.
Views
Replies
Total Likes
Hi @B_Stockwell,
Let me first try quickly answer your questions, and next elaborate a bit more about potential solution.
1. Is this the correct behavior? It seems that the context passed by the expression should overrule the default context.
In my opinion this is correct behavior, at least looking into what has been written in HTL specification - Display Context
${properties.jcr:title @ context='uri'} <!--/* Outputs nothing if the value contains XSS risks */-->
2. Can anyone point me to documentation to configure the xss api to accespt these uri's?
I do not think you should manipulate/change xss api rules. I think this will be rather a workaround then a proper solution.
In general you should have a closer look into options described in URI Manipulation section of HTL specification. Especially section about query looks interesting.
In other words you should use query attribute together with context='uri' to get expected result.
I did a short test on my own, and I have found one issue in your query string format. But lets have a closer look into scenarios I have checked.
${'/content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:content/dispDate]&orderBySort=desc' @ context='uri'}
${'/content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:content/dispDate]&orderBySort=desc' @ context='unsafe'}
${'/content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:content/dispDate]&orderBySort=desc' @ context='uri', query}The reason why this combination is not working, is a fact that you are using reserved characters in your query, which are [ and ]. Please have a look into reserved characters section from RFC - https://www.rfc-editor.org/rfc/rfc3986#section-2.2
${'/content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.jcr:content/dispDate&orderBySort=desc' @ context='uri', query
Summarizing if you are using contex='uri', then query attribute should be the option to be used for getting query string to be displayed.
Hi @B_Stockwell,
Let me first try quickly answer your questions, and next elaborate a bit more about potential solution.
1. Is this the correct behavior? It seems that the context passed by the expression should overrule the default context.
In my opinion this is correct behavior, at least looking into what has been written in HTL specification - Display Context
${properties.jcr:title @ context='uri'} <!--/* Outputs nothing if the value contains XSS risks */-->
2. Can anyone point me to documentation to configure the xss api to accespt these uri's?
I do not think you should manipulate/change xss api rules. I think this will be rather a workaround then a proper solution.
In general you should have a closer look into options described in URI Manipulation section of HTL specification. Especially section about query looks interesting.
In other words you should use query attribute together with context='uri' to get expected result.
I did a short test on my own, and I have found one issue in your query string format. But lets have a closer look into scenarios I have checked.
${'/content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:content/dispDate]&orderBySort=desc' @ context='uri'}
${'/content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:content/dispDate]&orderBySort=desc' @ context='unsafe'}
${'/content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.[jcr:content/dispDate]&orderBySort=desc' @ context='uri', query}The reason why this combination is not working, is a fact that you are using reserved characters in your query, which are [ and ]. Please have a look into reserved characters section from RFC - https://www.rfc-editor.org/rfc/rfc3986#section-2.2
${'/content/test-uc/news/search/jcr:content/main/article_list.html?article-list-id=163453488&manualArticles=&term=&authors=&contacts=&displayDateRangeType=&displayDateStart=&displayDateEnd=&tags=&anyAll=&showEvents=&articlesExclude=&authorsExclude=&tagsExclude=&limit=10&orderBy=story.jcr:content/dispDate&orderBySort=desc' @ context='uri', query
Summarizing if you are using contex='uri', then query attribute should be the option to be used for getting query string to be displayed.
Hi,
I think the issue with the
story.[jcr:content/dispDate]
part of your returned query string, If you removed that it works, see below
To fix this issue you must return the actual value from backedn rather than using HTL expression inside query string.
Views
Likes
Replies
Views
Likes
Replies