[ https://issues.apache.org/jira/browse/SLING-6959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16050258#comment-16050258 ]
Lukas Kummer commented on SLING-6959: ------------------------------------- might be a duplicate of SLING-5050 > XssProtection changes html semantic caused by formatting > -------------------------------------------------------- > > Key: SLING-6959 > URL: https://issues.apache.org/jira/browse/SLING-6959 > Project: Sling > Issue Type: Bug > Affects Versions: XSS Protection API 1.0.2, Scripting Sightly Engine 1.0.2 > Environment: AEM > Reporter: Lukas Kummer > Priority: Minor > Attachments: space.png > > > When using sightly the following html: > {code:html} > <td class="infoline" > ${component.infoline @ context='html'} </td> > {code} > it will be compiled to: > {code:java} > String var_28 = ((" "+renderContext.toString(renderContext.call("xss", > renderContext.resolveProperty(_global_component, "infoline"), "html")))+" "); > {code} > which calls > org.apache.sling.scripting.sightly.impl.engine.extension.XSSRuntimeExtension.call(RenderContext, > Object...) > and later: > org.apache.sling.xss.impl.XSSAPIImpl.filterHTML(String) > When this method is called with this String: > {code:html} > Is it a <span style="color:#e60000">threat</span> or an <span > style="color:#e60000">opportunity</span>?<br> > Is it a threat or an opportunity? > {code} > will be turned into > {code:html} > Is it a <span style="color: rgb(230,0,0);">threat</span> > or an <span style="color: rgb(230,0,0);">opportunity</span> > ?<br /> > Is it a threat or an opportunity? > {code} > which leads to the problem, that there will be a space between the word > opportunity and the question mark. > However, the formatting could be configured by changing the > SLING-INF/content/config.xml > (from <directive name="formatOutput" value="true"/> to <directive > name="formatOutput" value="false"/>) > But anyway the formatting shouldn't change the semantics, which why the > formatting directive should be always false -- This message was sent by Atlassian JIRA (v6.4.14#64029)