Hi
Apart for what Feike has mentioned,
Please have a look at this community article :-
Link:- http://blogs.adobe.com/sunil/2015/07/24/338/
To Add to what Feike said, please refer to this documentation to better understand context :- https://docs.adobe.com/docs/en/aem/6-1/develop/sightly/expression-language.html#Display Context
The display context of a Sightly expression refers to its location within the structure of the HTML page. For example, if the expression appears in place that would produce a text node once rendered, then it is said to be in a text context. If it is found within the value of an attribute, then it is said to be in an attribute context, and so forth.
With the exception of script (JS) and style (CSS) contexts, Sightly will automatically detect the context of expressions and escape them appropriately, to prevent XSS security problems. In the case of scripts and CSS, the desired context behavior must be explicitly set. Additionally, the context behavior can also be explicitly set in any other case where an override of the automatic behavior is desired.
Here we have three variables in three different contexts: properties.link (uri context), properties.title(attribute context) and properties.text (text context). Sightly will escape each of these differently in accordance with the security requirements of their respective contexts. No explicit context setting is required in normal cases such as this one:
<a href="${properties.link}" title="${properties.title}">${properties.text}</a> |
Code samples are intended for illustration purposes only.
To safely output markup (that is, where the expression itself evaluates to HTML), the html context is used:
<div>${properties.richText @ context='html'}</div> |
Code samples are intended for illustration purposes only.
Explicit context must be set for style contexts:
<span style="color: ${properties.color @ context='styleToken'};">...</span> |
Code samples are intended for illustration purposes only.
Explicit context must be set for script contexts:
<span onclick="${properties.function @ context='scriptToken'}();">...</span> |
Code samples are intended for illustration purposes only.
Escaping and XSS protection can also be turned off:
<div>${myScript @ context='unsafe'}</div> |
Code samples are intended for illustration purposes only.
| Context | When to use | What it does |
|---|---|---|
| text | Default for content inside elements | Encodes all HTML special characters. |
| html | To safely output markup | Filters HTML to meet the AntiSamy policy rules, removing what doesn't match the rules. |
| attribute | Default for attribute values | Encodes all HTML special characters. |
| uri | To display links and paths Default for href and src attribute values | Validates URI for writing as an href or src attribute value, outputs nothing if validation fails. |
| number | To display numbers | Validates URI for containing an integer, outputs zero if validation fails. |
| attributeName | Default for data-sly-attribute when setting attribute names | Validates the attribute name, outputs nothing if validation fails. |
| elementName | Default for data-sly-element | Validates the element name, outputs nothing if validation fails. |
| scriptToken | For JS identifiers, literal numbers, or literal strings | Validates the JavaScript token, outputs nothing if validation fails. |
| scriptString | Within JS strings | Encodes characters that would break out of the string. |
| scriptComment | Within JS comments | Validates the JavaScript comment, outputs nothing if validation fails. |
| styleToken | For CSS identifiers, numbers, dimensions, strings, hex colours or functions. | Validates the CSS token, outputs nothing if validation fails. |
| styleString | Within CSS strings | Encodes characters that would break out of the string. |
| styleComment | Within CSS comments | Validates the CSS comment, outputs nothing if validation fails. |
| unsafe | Only if none of the above does the job | Disables escaping and XSS protection completely. |
I hope this would help you.
Thanks and Regards
Kautuk Sahni
Hi
Apart for what Feike has mentioned,
Please have a look at this community article :-
Link:- http://blogs.adobe.com/sunil/2015/07/24/338/
To Add to what Feike said, please refer to this documentation to better understand context :- https://docs.adobe.com/docs/en/aem/6-1/develop/sightly/expression-language.html#Display Context
The display context of a Sightly expression refers to its location within the structure of the HTML page. For example, if the expression appears in place that would produce a text node once rendered, then it is said to be in a text context. If it is found within the value of an attribute, then it is said to be in an attribute context, and so forth.
With the exception of script (JS) and style (CSS) contexts, Sightly will automatically detect the context of expressions and escape them appropriately, to prevent XSS security problems. In the case of scripts and CSS, the desired context behavior must be explicitly set. Additionally, the context behavior can also be explicitly set in any other case where an override of the automatic behavior is desired.
Here we have three variables in three different contexts: properties.link (uri context), properties.title(attribute context) and properties.text (text context). Sightly will escape each of these differently in accordance with the security requirements of their respective contexts. No explicit context setting is required in normal cases such as this one:
<a href="${properties.link}" title="${properties.title}">${properties.text}</a> |
Code samples are intended for illustration purposes only.
To safely output markup (that is, where the expression itself evaluates to HTML), the html context is used:
<div>${properties.richText @ context='html'}</div> |
Code samples are intended for illustration purposes only.
Explicit context must be set for style contexts:
<span style="color: ${properties.color @ context='styleToken'};">...</span> |
Code samples are intended for illustration purposes only.
Explicit context must be set for script contexts:
<span onclick="${properties.function @ context='scriptToken'}();">...</span> |
Code samples are intended for illustration purposes only.
Escaping and XSS protection can also be turned off:
<div>${myScript @ context='unsafe'}</div> |
Code samples are intended for illustration purposes only.
| Context | When to use | What it does |
|---|---|---|
| text | Default for content inside elements | Encodes all HTML special characters. |
| html | To safely output markup | Filters HTML to meet the AntiSamy policy rules, removing what doesn't match the rules. |
| attribute | Default for attribute values | Encodes all HTML special characters. |
| uri | To display links and paths Default for href and src attribute values | Validates URI for writing as an href or src attribute value, outputs nothing if validation fails. |
| number | To display numbers | Validates URI for containing an integer, outputs zero if validation fails. |
| attributeName | Default for data-sly-attribute when setting attribute names | Validates the attribute name, outputs nothing if validation fails. |
| elementName | Default for data-sly-element | Validates the element name, outputs nothing if validation fails. |
| scriptToken | For JS identifiers, literal numbers, or literal strings | Validates the JavaScript token, outputs nothing if validation fails. |
| scriptString | Within JS strings | Encodes characters that would break out of the string. |
| scriptComment | Within JS comments | Validates the JavaScript comment, outputs nothing if validation fails. |
| styleToken | For CSS identifiers, numbers, dimensions, strings, hex colours or functions. | Validates the CSS token, outputs nothing if validation fails. |
| styleString | Within CSS strings | Encodes characters that would break out of the string. |
| styleComment | Within CSS comments | Validates the CSS comment, outputs nothing if validation fails. |
| unsafe | Only if none of the above does the job | Disables escaping and XSS protection completely. |
I hope this would help you.
Thanks and Regards
Kautuk Sahni
