Details
-
Bug
-
Status: Resolved
-
Minor
-
Resolution: Duplicate
-
XSS Protection API 1.0.2, Scripting Sightly Engine 1.0.2
-
None
-
None
-
None
-
AEM
Description
When using sightly the following html:
<td class="infoline" > ${component.infoline @ context='html'} </td>
it will be compiled to:
String var_28 = ((" "+renderContext.toString(renderContext.call("xss", renderContext.resolveProperty(_global_component, "infoline"), "html")))+" ");
which calls
org.apache.sling.scripting.sightly.impl.engine.extension.XSSRuntimeExtension.call(RenderContext, Object...)
and later:
org.apache.sling.xss.impl.XSSAPIImpl.filterHTML(String)
When this method is called with this String:
Is it a <span style="color:#e60000">threat</span> or an <span style="color:#e60000">opportunity</span>?<br> Is it a threat or an opportunity?
will be turned into
Is it a <span style="color: rgb(230,0,0);">threat</span> or an <span style="color: rgb(230,0,0);">opportunity</span> ?<br /> Is it a threat or an opportunity?
which leads to the problem, that there will be a space between the word opportunity and the question mark.
However, the formatting could be configured by changing the SLING-INF/content/config.xml
(from <directive name="formatOutput" value="true"/> to <directive name="formatOutput" value="false"/>)
But anyway the formatting shouldn't change the semantics, which why the formatting directive should be always false
Attachments
Attachments
Issue Links
- duplicates
-
SLING-5050 Disable AntiSamy's default formatOutput policy directive
- Closed