Adobe Experience Manager Sites & More

djohn98390536 · 7/30/23

I hv a requirement to read the OSGI value in sightly. It is working as expected in my local but not working when I deployed to the Dev server. Please find the below code to help to solve the issue.

<sly data-sly-use.config="com.demo.common.DemoModel" />
${config.configValue} (This is working outside of src tag OSGI config value is reading)
<div class="iframe-div">
<iframe width="100%" height="300" src="${config.configValue}"></iframe>(Inside src tag not reading OSGI config value)
<div>
Thanks,

Saravanan_Dharmaraj · 7/30/23

@djohn98390536 Could you try the below by adding the context.

src="${config.configValue @context='html'}"

Please check the similar post

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/htl-html-context-removes-a...

View solution in original post

Saravanan_Dharmaraj · 7/30/23

@djohn98390536 Could you try the below by adding the context.

src="${config.configValue @context='html'}"

Please check the similar post

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/htl-html-context-removes-a...

djohn98390536 · 7/31/23

thanks a lot it is working as expected.

tusharbias · 7/30/23

HTL in AEM provides built-in security measures to protect against cross-site scripting (XSS) vulnerabilities. When outputting dynamic content in HTML, HTL automatically identifies the context in which the content will be displayed and escapes it appropriately to prevent potential security risks.

However, there are cases where you may need to override the default context handling to ensure proper security. Here are some options to customize the context handling in HTL:

Use @CONTEXT='html': This outputs HTML content and removes any markup that may pose XSS risks.
Use @CONTEXT='text': For simple HTML content, this option encodes all HTML tags to prevent any potential security issues.
Use @CONTEXT='uri': For handling URIs, this option ensures that the value does not contain any XSS risks. This might be the option you are looking for.
Use @CONTEXT='scriptToken': This handles JavaScript tokens and outputs nothing if the value doesn't correspond to a valid JavaScript token.
Use @CONTEXT='scriptString': Applies JavaScript string escaping for secure output.
Use @CONTEXT='scriptComment': For JavaScript block comments, this context ensures that the value cannot break out of the comment context.
Use @CONTEXT='scriptRegExp': For JavaScript regular expressions, this option applies proper escaping.
Use @CONTEXT='styleToken': Handles CSS tokens and ensures that the output adheres to valid CSS syntax.
Use @CONTEXT='styleComment': For CSS comments, this context prevents any attempts to break out of the comment context.
Use @CONTEXT='comment': Applies HTML comment escaping for secure output.
Use @CONTEXT='number': Outputs zero if the value is not a valid number.
Use @CONTEXT='unsafe': Caution! This option disables XSS protection completely and should only be used when you fully understand the potential risks. However, it is not recommended option.

By selecting the appropriate context option based on the specific use case, you can ensure that HTL provides secure and sanitized output, protecting your application from XSS vulnerabilities. Refer https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md#121-display-context for complete list of context available.

djohn98390536 · 7/31/23

@tusharbias thanks a lot

Adobe Experience Manager Sites & More

OGGI value not reading inside src tag of a iframe .

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe