Expand my Community achievements bar.

SOLVED

Protect against Malicious content(XSS attack) from being posted to backend

Avatar

Level 2

Hi,

Could anyone help me out  how i can avoid malicious content from being posted to back end from editable text box . I am using sightly in HTML.

I understand in JSP we have XSSAPI.

I am not sure how to achieve this using sightly when you post the data.

I am not using AEM forms here.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

From Adobe docs(Overview ):

"While the same result can be achieved with template languages like JSP, there the developer must manually ensure that the proper escaping is applied to each variable. As a single omission or mistake on the applied escaping is potentially sufficient to cause a cross-site scripting (XSS) vulnerability, we decided to automate this task with HTL. If needed, developers can still specify a different escaping on the expressions, but with HTL the default behavior is much more likely to correspond to the desired behavior, reducing the likelihood of errors."

It is implicit in HTL/Sightly.

View solution in original post

1 Reply

Avatar

Correct answer by
Community Advisor

From Adobe docs(Overview ):

"While the same result can be achieved with template languages like JSP, there the developer must manually ensure that the proper escaping is applied to each variable. As a single omission or mistake on the applied escaping is potentially sufficient to cause a cross-site scripting (XSS) vulnerability, we decided to automate this task with HTL. If needed, developers can still specify a different escaping on the expressions, but with HTL the default behavior is much more likely to correspond to the desired behavior, reducing the likelihood of errors."

It is implicit in HTL/Sightly.