Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-6008

The display context cannot be overwritten for HTML attribute expressions

    XMLWordPrintableJSON

Details

    Description

      The XSS display context cannot be overwritten any more for expressions that should generate the value of HTML attributes:

      Markup:

      <a data-sly-use.urltype="logic.js" href="${urltype.hrefValue @ context='unsafe'}">Click</a>

      Logic:

      use(function () {
    return {
        hrefValue: "$link.category('default','men','')"
    };
});

      Current output:

      <a href="$link.category(%27default%27,%27men%27,%27%27)">Click</a>

      However, with context='unsafe', the output should actually be:

      <a href="$link.category('default','men','')">Click</a>

      Attachments

        Issue Links

          is caused by

          Bug - A problem which impairs or prevents the functions of the product. SLING-5568 Sightly filters don't remove their specific options from the expression during processing

          • Major - Major loss of function.
          • Closed

          Activity

            People

              radu Radu Cotescu
              radu Radu Cotescu
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: