[SLING-6094] HTL can generate invalid Java code by using user-supplied input - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: Scripting Sightly Engine 1.0.18
Fix Version/s: Scripting HTL Engine 1.0.22, Scripting HTL Java Compiler 1.0.2
Component/s: Scripting
Labels:
None

Description

HTL can generate invalid Java code by using user-supplied input or markup elements as fragments for variable names, leading to failed script executions.

This could happen with the data-sly-attribute plug-in, when the value is a map and the plug-in has to analyse previously defined attributes (see v-bind:src):

<img src="" v-bind:src="abc" data-sly-attribute="${logic.hello}" />

or with user-defined script variable names:

<div data-sly-test.jcr:title="${1>0}">correctly escaped variable</div>

Attachments

Issue Links

relates to

SLING-6223 Impossible to create HTL resource type that starts with a number inside the foldername

Resolved

Activity

People

Assignee:: Radu Cotescu

Reporter:: Mark J. Becker

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 04/Oct/16 12:49

Updated:: 13/Jan/17 10:27

Resolved:: 07/Oct/16 10:39