Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-9011

HTL: "automatic" context=uri on href/src seems to be wrong - Should be uri *and* html

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Resolved
    • Major
    • Resolution: Won't Fix
    • Scripting HTL Engine 1.3.2-1.4.0
    • None
    • Scripting
    • None

    Description

      url=http://test.com/?a=true&b=false&c=%3F

      <a href="${url}">Test</a>

      I expect the href to be (when viewing page source):

      http://test.com/?a=true&amp;b=false&amp;c=%3F

      It however is:

      http://test.com/?a=true&b=false&c=%3F

      HTML requires attributes to also be encoded, so I believe we're not doing enough to do the proper encoding/escaping here.

      WDYT?

      Attachments

        Issue Links

          is fixed by

          Bug - A problem which impairs or prevents the functions of the product. SLING-9694 XSSAPIImpl#getValidHref does not escape the ampersand character

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              radu Radu Cotescu
              Henry Kuijpers Henry Kuijpers
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: