[jira] [Commented] (SLING-6959) XssProtection changes html semantic caused by formatting

Thu, 15 Jun 2017 02:59:19 -0700 

    [ 
https://issues.apache.org/jira/browse/SLING-6959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16050258#comment-16050258
 ] 

Lukas Kummer commented on SLING-6959:
-------------------------------------

might be a duplicate of SLING-5050

> XssProtection changes html semantic caused by formatting
> --------------------------------------------------------
>
>                 Key: SLING-6959
>                 URL: https://issues.apache.org/jira/browse/SLING-6959
>             Project: Sling
>          Issue Type: Bug
>    Affects Versions: XSS Protection API 1.0.2, Scripting Sightly Engine 1.0.2
>         Environment: AEM
>            Reporter: Lukas Kummer
>            Priority: Minor
>         Attachments: space.png
>
>
> When using sightly the following html:
> {code:html}
> <td class="infoline" > ${component.infoline @ context='html'} </td>
> {code}
> it will be compiled to:
> {code:java}
> String var_28 = ((" "+renderContext.toString(renderContext.call("xss", 
> renderContext.resolveProperty(_global_component, "infoline"), "html")))+" ");
> {code}
> which calls 
> org.apache.sling.scripting.sightly.impl.engine.extension.XSSRuntimeExtension.call(RenderContext,
>  Object...)
> and later:
> org.apache.sling.xss.impl.XSSAPIImpl.filterHTML(String)
> When this method is called with this String:
> {code:html}
> Is it a <span style="color:#e60000">threat</span> or an <span 
> style="color:#e60000">opportunity</span>?<br>
> Is it a threat or an opportunity?
> {code}
> will be turned into
> {code:html}
> Is it a <span style="color: rgb(230,0,0);">threat</span>
>  or an <span style="color: rgb(230,0,0);">opportunity</span>
> ?<br />
> Is it a threat or an opportunity?
> {code}
> which leads to the problem, that there will be a space between the word 
> opportunity and the question mark.
> However, the formatting could be configured by changing the 
> SLING-INF/content/config.xml
> (from <directive name="formatOutput" value="true"/> to <directive 
> name="formatOutput" value="false"/>)
> But anyway the formatting shouldn't change the semantics, which why the 
> formatting directive should be always false



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to