[SLING-4177] Sightly: StyleString context doesn't properly escape - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: XSS Protection API 1.0.0, Scripting Sightly Engine 1.0.0
Component/s: Extensions, Scripting
Labels:
- Sightly

Description

The context='styleString' expression option seems to escape strings the same way as context='scriptString', but this breaks the string, making that context unusable. CSS strings are to be escaped \HH and not \xHH like in JS:
https://developer.mozilla.org/en-US/docs/Web/CSS/string

Consider following example:

<style>
.ft:after { content: "${'\'' @ context='styleString'}"; }
.in:after { content: "${'\"' @ context='styleString'}"; }
</style>

Which currently gets incorrectly rendered as follows:

<style>
.ft:after { content: "\x27"; }
.in:after { content: "\x22"; }
</style>

Following output would have been expected:

<style>
.ft:after { content: "\27"; }
.in:after { content: "\22"; }
</style>

Attachments

Activity

People

Assignee:: Felix Meschberger

Reporter:: Vlad Bailescu

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 17/Nov/14 10:52

Updated:: 11/Mar/15 13:59

Resolved:: 05/Dec/14 11:33