Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Sightly : Retrieve dialog properties in a Javascript variable

Anonymous
Not applicable

We have a requirement to do java script redirection to another page like below

window.location.href='https://forums.adobe.com/content/mypage/some-page.html.

 

But the URL i need to pick from dialog property, How can we do it in sightly?

WIth JSP's we used to retrieve something like below

<script>var title = "<%=properties.get("./title","PageTitle")%>"</script> 
1 Accepted Solution
kautuk_sahni
Correct answer by
Community Manager
Community Manager

Hi 

Apart for what Feike has mentioned, 

Please have a look at this community article :-

Link:- http://blogs.adobe.com/sunil/2015/07/24/338/

 

To Add to what Feike said, please refer to this documentation to better understand context :- https://docs.adobe.com/docs/en/aem/6-1/develop/sightly/expression-language.html#Display Context

DISPLAY CONTEXT

The display context of a Sightly expression refers to its location within the structure of the HTML page. For example, if the expression appears in place that would produce a text node once rendered, then it is said to be in a text context. If it is found within the value of an attribute, then it is said to be in an attribute context, and so forth.

With the exception of script (JS) and style (CSS) contexts, Sightly will automatically detect the context of expressions and escape them appropriately, to prevent XSS security problems. In the case of scripts and CSS, the desired context behavior must be explicitly set. Additionally, the context behavior can also be explicitly set in any other case where an override of the automatic behavior is desired.

Here we have three variables in three different contexts: properties.link (uri context), properties.title(attribute context) and properties.text (text context). Sightly will escape each of these differently in accordance with the security requirements of their respective contexts. No explicit context setting is required in normal cases such as this one:

    
<a href="${properties.link}" title="${properties.title}">${properties.text}</a>

Code samples are intended for illustration purposes only.

To safely output markup (that is, where the expression itself evaluates to HTML), the html context is used:

    
<div>${properties.richText @ context='html'}</div>

Code samples are intended for illustration purposes only.

Explicit context must be set for style contexts:

    
<span style="color: ${properties.color @ context='styleToken'};">...</span>

Code samples are intended for illustration purposes only.

Explicit context must be set for script contexts:

    
<span onclick="${properties.function @ context='scriptToken'}();">...</span>

Code samples are intended for illustration purposes only.

Escaping and XSS protection can also be turned off:

    
<div>${myScript @ context='unsafe'}</div>

Code samples are intended for illustration purposes only.

Context Settings

                                                                            
ContextWhen to useWhat it does
textDefault for content inside elementsEncodes all HTML special characters.
htmlTo safely output markupFilters HTML to meet the AntiSamy policy rules,
removing what doesn't match the rules.
attributeDefault for attribute valuesEncodes all HTML special characters.
uriTo display links and paths
Default for href and src attribute values
Validates URI for writing as an href or src attribute value,
outputs nothing if validation fails.
numberTo display numbersValidates URI for containing an integer,
outputs zero if validation fails.
attributeNameDefault for data-sly-attribute when setting attribute namesValidates the attribute name,
outputs nothing if validation fails.
elementNameDefault for data-sly-elementValidates the element name,
outputs nothing if validation fails.
scriptTokenFor JS identifiers, literal numbers, or literal stringsValidates the JavaScript token,
outputs nothing if validation fails.
scriptStringWithin JS stringsEncodes characters that would break out of the string.
scriptCommentWithin JS commentsValidates the JavaScript comment,
outputs nothing if validation fails.
styleTokenFor CSS identifiers, numbers, dimensions, strings, hex colours or functions.Validates the CSS token,
outputs nothing if validation fails.
styleStringWithin CSS stringsEncodes characters that would break out of the string.
styleCommentWithin CSS commentsValidates the CSS comment,
outputs nothing if validation fails.
unsafeOnly if none of the above does the jobDisables escaping and XSS protection completely.

 

I hope this would help you.

Thanks and Regards

Kautuk Sahni

View solution in original post

2 Replies
Feike_Visser1
Employee
Employee

${ properties.propName @ context='scriptString'}

kautuk_sahni
Correct answer by
Community Manager
Community Manager

Hi 

Apart for what Feike has mentioned, 

Please have a look at this community article :-

Link:- http://blogs.adobe.com/sunil/2015/07/24/338/

 

To Add to what Feike said, please refer to this documentation to better understand context :- https://docs.adobe.com/docs/en/aem/6-1/develop/sightly/expression-language.html#Display Context

DISPLAY CONTEXT

The display context of a Sightly expression refers to its location within the structure of the HTML page. For example, if the expression appears in place that would produce a text node once rendered, then it is said to be in a text context. If it is found within the value of an attribute, then it is said to be in an attribute context, and so forth.

With the exception of script (JS) and style (CSS) contexts, Sightly will automatically detect the context of expressions and escape them appropriately, to prevent XSS security problems. In the case of scripts and CSS, the desired context behavior must be explicitly set. Additionally, the context behavior can also be explicitly set in any other case where an override of the automatic behavior is desired.

Here we have three variables in three different contexts: properties.link (uri context), properties.title(attribute context) and properties.text (text context). Sightly will escape each of these differently in accordance with the security requirements of their respective contexts. No explicit context setting is required in normal cases such as this one:

    
<a href="${properties.link}" title="${properties.title}">${properties.text}</a>

Code samples are intended for illustration purposes only.

To safely output markup (that is, where the expression itself evaluates to HTML), the html context is used:

    
<div>${properties.richText @ context='html'}</div>

Code samples are intended for illustration purposes only.

Explicit context must be set for style contexts:

    
<span style="color: ${properties.color @ context='styleToken'};">...</span>

Code samples are intended for illustration purposes only.

Explicit context must be set for script contexts:

    
<span onclick="${properties.function @ context='scriptToken'}();">...</span>

Code samples are intended for illustration purposes only.

Escaping and XSS protection can also be turned off:

    
<div>${myScript @ context='unsafe'}</div>

Code samples are intended for illustration purposes only.

Context Settings

                                                                            
ContextWhen to useWhat it does
textDefault for content inside elementsEncodes all HTML special characters.
htmlTo safely output markupFilters HTML to meet the AntiSamy policy rules,
removing what doesn't match the rules.
attributeDefault for attribute valuesEncodes all HTML special characters.
uriTo display links and paths
Default for href and src attribute values
Validates URI for writing as an href or src attribute value,
outputs nothing if validation fails.
numberTo display numbersValidates URI for containing an integer,
outputs zero if validation fails.
attributeNameDefault for data-sly-attribute when setting attribute namesValidates the attribute name,
outputs nothing if validation fails.
elementNameDefault for data-sly-elementValidates the element name,
outputs nothing if validation fails.
scriptTokenFor JS identifiers, literal numbers, or literal stringsValidates the JavaScript token,
outputs nothing if validation fails.
scriptStringWithin JS stringsEncodes characters that would break out of the string.
scriptCommentWithin JS commentsValidates the JavaScript comment,
outputs nothing if validation fails.
styleTokenFor CSS identifiers, numbers, dimensions, strings, hex colours or functions.Validates the CSS token,
outputs nothing if validation fails.
styleStringWithin CSS stringsEncodes characters that would break out of the string.
styleCommentWithin CSS commentsValidates the CSS comment,
outputs nothing if validation fails.
unsafeOnly if none of the above does the jobDisables escaping and XSS protection completely.

 

I hope this would help you.

Thanks and Regards

Kautuk Sahni

View solution in original post