XSSAPI in AEM 6.2

Avatar

Avatar

Jt_Jayati

Avatar

Jt_Jayati

Jt_Jayati

03-03-2017

In AEM 6.2 com.adobe.granite.xss.XSSAPI is deprecated and use of org.apache.sling.xss.XSSAPI is suggested, however cq:defineObjects in http://www.day.com/taglibs/cq/1.0 still uses the deprecated one.

Is there any new taglib version which i need to use in my global.jsp?

Replies

Avatar

Avatar

diptinarang

Avatar

diptinarang

diptinarang

06-03-2017

I am facing the same issue, any pointers from anyone?

Avatar

Avatar

kautuk_sahni

Community Manager

Total Posts

5.7K

Likes

1.0K

Correct Reply

1.1K

Avatar

kautuk_sahni

Community Manager

Total Posts

5.7K

Likes

1.0K

Correct Reply

1.1K
kautuk_sahni
Community Manager

06-03-2017

Hi

Check this community article :-

Link:- https://adobe-consulting-services.github.io/acs-aem-commons/features/xss-functions.html

// This covers simple JSP EL functions for XSS protection using the XSSAPI service provided by AEM.

    Add taglib declaration: <%@ taglib prefix="xss" uri="http://www.adobe.com/consulting/acs-aem-commons/xss" %>

Example
<%@include file="/libs/foundation/global.jsp"%><%
%><%@ taglib prefix="xss" uri="http://www.adobe.com/consulting/acs-aem-commons/xss" %>
${xss:encodeForHTMLAttr(xssAPI, 'hi"')}

I hope this would help you.

~kautuk

Avatar

Avatar

Jt_Jayati

Avatar

Jt_Jayati

Jt_Jayati

06-03-2017

        Thanks, but acs commons also uses the deprecated api com.adobe.granite.xss.XSSAPI internally 😞

Avatar

Avatar

Daniel_H__A__Li

Avatar

Daniel_H__A__Li

Daniel_H__A__Li

15-03-2017

Hi, Jayati.

How about adapting the sling request to org.apache.sling.xss.XSSAPI?

import org.apache.sling.xss.XSSAPI; import org.apache.sling.api.SlingHttpServletRequest; // (...) // request is an instance of SlingHttpServletRequest XSSAPI xssapi = request.adaptTo(XSSAPI.class); String encodedAttr = xssapi.encodeForHTMLAttr(someUnsafeValue);

?

I believe I've seen something similar in XSSRuntimeExtension.obtainAPI().

Regards,

Daniel.

Avatar

Avatar

Jt_Jayati

Avatar

Jt_Jayati

Jt_Jayati

16-03-2017

Yes that's a solution to be done in global.jsp , or below one , as API itself provides thi function: XSSAPI xssapi = sling.getService(XSSAPI.class).getRequestSpecificAPI(slingRequest); but with both these solutions we get an error of "duplicate JSP variable", and so we need to assign it to some other variable like "slingXSSAPI", and here comes the overhead of changing all the occurences of this variable in good amount of files. This is do-able but if things are later-on updated in cq taglibraries's definedObjects then we need to revert to actual variable again for all occurences. So is it fine to keep using the deprecated import which cq taglib is using, or no matter what cq taglibrary is using we should never go ahead with deprecated code, what is recommneded?

Avatar

Avatar

smacdonald2008

Total Posts

12.7K

Likes

1.4K

Correct Reply

2.3K

Avatar

smacdonald2008

Total Posts

12.7K

Likes

1.4K

Correct Reply

2.3K
smacdonald2008

16-03-2017

What type of component are you building - are you using HTL (Sightly) or JSP. 

Avatar

Avatar

Jt_Jayati

Avatar

Jt_Jayati

Jt_Jayati

16-03-2017

        JSPs.

Avatar

Avatar

sachinarora

Avatar

sachinarora

sachinarora

22-05-2018

We are currently using ACS commons deprecated taglib. The only solution I can think is of creating a custom tag library(for the time being we are having JSPs) exposing all methods as ACS taglib but using Sling XSSAPI internally. It will require change in only global.jsp. Also HTL global object xssAPI is of deprecated XSSAPI as mentioned here : https://helpx.adobe.com/experience-manager/htl/using/global-objects.html

Avatar

Avatar

sindhug14537977

Avatar

sindhug14537977

sindhug14537977

30-11-2018

we upgraded our project from 6.3 to 6.4 and we have few components using JSP's yet.

we are facing the same issue. please let me know if you found a solution to this.

Thank You!