Expand my Community achievements bar.

Learn about Edge Delivery Services in upcoming GEM session
Register!
SOLVED

HTL HTML context removes attribute

Avatar

Level 5
Level 5
10/1/19 1:26:49 PM

Hi guys,

We have an AEM component that allows users to enter HTML and the HTML is rendered like so:

<p data-sly-test.text="${textModel.text}"
   data-sly-unwrap="${textModel.isRichText}">${text @ context = 'html'}</p>

So far, so good, works fine. Now we need to create links to pages that the link checker won't find as valid (they work in the browser because the is JavaScript that will handle them).

We'd rather not disable the link checker entirely. For links that are generated in HTL, we add the attribute x-cq-linkchecker='skip' and it works fine, but the 'html' context removes that attribute when a user adds it.

Is there any documentation about exactly what attributes are allowed in html context? Is there a different context I can use that is more lax regarding html attributes but still does proper escaping, etc?

Thanks!

Views

21.2K

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 5
Level 5
10/1/19 3:14:09 PM

Okay, I found something that will work. I updated the XSS filter config per:

XSS Filter issue with the target attribute of the tag

I added the x-cq-linkchecker attribute to the a tag like so:

<tag name="a" action="validate">

...

   <attribute name="x-cq-linkchecker">
  <literal-list>
  <literal value="skip"/>
  <literal value="valid"/>
  </literal-list>
  </attribute>

</tag>

View solution in original post

Views

19.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
5 Replies

Avatar

Community Advisor
Community Advisor
10/1/19 1:36:22 PM

Html context filters HTML to meet the AntiSamy policy rules, removing what doesn't match the rules. Hence rejecting your attribute for html context.

You can add context=unsafe but it disables escaping and XSS protection completely which can cause security issues.

Please read more about context on the blog: HTL Expression Language

Views

18.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 5
Level 5
10/1/19 2:04:03 PM

I am aware of all of that and don't want to use context unsafe. Do I have other options?

Views

19.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee Advisor
Employee Advisor
10/1/19 2:06:43 PM

To protect against cross-site scripting (XSS) vulnerabilities, HTL automatically recognises the context within which an output string is to be displayed within the final HTML output, and escapes that string appropriately.

It is also possible to override the automatic display context handling with the context option.

${properties.jcr:title @ context='html'}  <!--/* Use this in case you want to output HTML - Removes markup that may contain XSS risks */-->

${properties.jcr:title @ context='text'}  <!--/* Use this for simple HTML content - Encodes all HTML */-->

${properties.jcr:title @ context='elementName'}  <!--/* Allows only element names that are white-listed, outputs 'div' otherwise */-->

${properties.jcr:title @ context='attributeName'} <!--/* Outputs nothing if the value doesn't correspond to the HTML attribute name syntax - doesn't allow 'style' and 'on*' attributes */-->

${properties.jcr:title @ context='attribute'}  <!--/* Applies HTML attribute escaping */-->

${properties.jcr:title @ context='uri'}  <!--/* Outputs nothing if the value contains XSS risks */-->

${properties.jcr:title @ context='scriptToken'}  <!--/* Outputs nothing if the value doesn't correspond to an Identifier, String literal or Numeric literal JavaScript token */-->

${properties.jcr:title @ context='scriptString'}  <!--/* Applies JavaScript string escaping */-->

${properties.jcr:title @ context='scriptComment'} <!--/* Context for Javascript block comments. Outputs nothing if value is trying to break out of the comment context */-->

${properties.jcr:title @ context='scriptRegExp'}  <!--/* Applies JavaScript regular expression escaping */-->

${properties.jcr:title @ context='styleToken'}  <!--/* Outputs nothing if the value doesn't correspond to the CSS token syntax */-->

${properties.jcr:title @ context='styleString'}  <!--/* Applies CSS string escaping */-->

${properties.jcr:title @ context='styleComment'}  <!--/* Context for CSS comments. Outputs nothing if value is trying to break out of the comment context */-->

${properties.jcr:title @ context='comment'}  <!--/* Applies HTML comment escaping */-->

${properties.jcr:title @ context='number'}  <!--/* Outputs zero if the value is not a number */-->

${properties.jcr:title @ context='unsafe'}  <!--/* Use this at your own risk, this disables XSS protection completely */-->

Views

18.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 5
Level 5
10/1/19 2:20:00 PM

Yep. I read that in the docs, too.

None of those are great for me. I just want to whitelist a particular attribute.

Is that possible?

Views

19.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 5
Level 5
10/1/19 3:14:09 PM

Okay, I found something that will work. I updated the XSS filter config per:

XSS Filter issue with the target attribute of the tag

I added the x-cq-linkchecker attribute to the a tag like so:

<tag name="a" action="validate">

...

   <attribute name="x-cq-linkchecker">
  <literal-list>
  <literal value="skip"/>
  <literal value="valid"/>
  </literal-list>
  </attribute>

</tag>

Views

19.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply