sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Konrad Windszus (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (SLING-7024) Sightly doesn't allow to emit style or on event attributes for `data-sly-attribute`
Date Mon, 31 Jul 2017 15:58:00 GMT

    [ https://issues.apache.org/jira/browse/SLING-7024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16107462#comment-16107462
] 

Konrad Windszus edited comment on SLING-7024 at 7/31/17 3:57 PM:
-----------------------------------------------------------------

Thanks for your comments.

1. You are right, sorry for the mistake, the example should rather use context `attribute`
here!
2. Yes, I observed that as well, but this is not obvious from the warning, I would therefore
rather directly have the workaround mentioned in the WARN. Your workaround to use classes
instead of direct styles is not always feasible (e.g. in a CMS where the number of allowed
background colors is the full RGB value set (https://www.w3.org/TR/css3-color/#rgb-color).
IMHO the same overwrite possibility should be provided inside `data-sly-attribute` as with
a simple expression. So giving an explicit context should be enough here to explicitly state
that you really want to set that potentially sensitive value.
3. Sorry again, did not see that at first glance in the source code.

Still I would really appreciate both a clarification in the specs, a way to overwrite the
suppression with an explicit context, as well as a clearer warning in the log.


was (Author: kwin):
Thanks for your comments.

1. You are right, sorry for the mistake, the example should rather use context `attribute`
here!
2. Yes, I observed that as well, but this is not obvious from the warning, I would therefore
rather directly have the workaround mentioned in the WARN. Your workaround to use classes
instead of direct styles is not always feasible (e.g. in a CMS where the number of allowed
background colors is the full RGB value set (https://www.w3.org/TR/css3-color/#rgb-color).
IMHO the same overwrite possibility should be provided inside `data-sly-attribute` as with
a simple expression. So giving an explicit context should be enough here to explicitly state
that you really want to set that potentially sensitive value.
3. Sorry again, did not see that at first glance in the source code.

Still I would really appreciate both a clarification in the specs as well as a clearer warning
in the log.

> Sightly doesn't allow to emit style or on event attributes for `data-sly-attribute`
> -----------------------------------------------------------------------------------
>
>                 Key: SLING-7024
>                 URL: https://issues.apache.org/jira/browse/SLING-7024
>             Project: Sling
>          Issue Type: Bug
>          Components: Scripting
>    Affects Versions: Scripting HTL Compiler 1.0.8
>            Reporter: Konrad Windszus
>            Assignee: Radu Cotescu
>         Attachments: Screenshot 2017-07-31 17.41.51.png
>
>
> For the following Sightly script
> {code}
> <a data-sly-attribute.style="${'background-color: #00ff00' @ context='style-token'}"></a>
> {code}
> The generated a element will not contain a style attribute.
> Instead the following error is emitted in the log
> {code}
> 31.07.2017 09:26:12.448 *WARN* [172.19.0.1 [1501493172400] GET /<some URL> HTTP/1.1]
org.apache.sling.scripting.sightly.impl.engine.SightlyScriptEngine Script <some script
path> 11:32: ${'background-color: #00ff00' @ context='style-token'}: Refusing to generate
attribute 'style' for security reasons.
> {code}
> This is unexpected as neither the HTL spec (https://github.com/Adobe-Marketing-Cloud/htl-spec/blob/master/SPECIFICATION.md#223-attribute)
nor the adobe documentation at https://docs.adobe.com/docs/en/htl/docs/block-statements.html#attribute
mentions that. Please either document that or rather lift that limitation.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message