I use Sightly and, examining the error in my application, I noticed a behavior that I did not expect.
Some of the links will display with ampersands in the query string, which will be escaped twice. Example:
<a href="http://www.google.com?a=1&amp;b=2&amp;c=3"> link with explicit attribute context </a>
Upon closer inspection, it turned out that the org.apache.sling.rewriter.Transformer implementation executed special characters in all href attributes running in AEM.
Combined with Sightly XSS protection, this led to dual screens.
Studying this, I turned off the transformer and noticed strange behavior in Sightly.
Attribute context and default context in href attributes do not match
Given the following three elements, I expect them to display the href value in the same way (assuming the query string is escaped according to W3C standards)
<a href="${'http://www.google.com?a=1&b=2&c=3'}">no explicit context, expression used</a> <a href="http://www.google.com?a=1&b=2&c=3">no explicit context</a> <a href="${'http://www.google.com?a=1&b=2&c=3' @ context='attribute'}"> explicit attribute context </a>
However, only the last one performs escaping, and I get
<a href="http://www.google.com?a=1&b=2&c=3">no explicit context, expression used</a> <a href="http://www.google.com?a=1&b=2&c=3">no explicit context</a> <a href="http://www.google.com?a=1&amp;b=2&amp;c=3"> explicit attribute context </a>
For some reason, the latter, using context='attribute' (the only thing that does something with the & characters), accelerates ampersands twice, resulting in invalid links.
This can be achieved using arbitrary element names and attributes, so I think I can safely assume that this is not a rewrite of the rewriter.
<stargate data-custom="${'http://www.google.com?a=1&b=2&c=3' @ context='attribute'}"> attribute context in custom tag </stargate>
Outputs:
<stargate data-custom="http://www.google.com?a=1&amp;b=2&amp;c=3"> attribute context in custom tag </stargate>
Also, the Display Context Specification gave me the impression that the context when rendering an attribute would automatically be raised as attribute
To protect against cross-site scripting (XSS) vulnerabilities, Sightly automatically recognizes the context in which the output string should be displayed in the final HTML output file, and escapes this string accordingly.
Is the observed behavior expected here or am I looking at a potential bug in Sightly?
What context should I use here? All contexts except attribute ignore the fact that query strings must be escaped in href . attribute , on the other hand, seems to do this twice. What's happening?
I am using the Adobe Granite Sightly Template Engine (compatibility) io.sightly.bundle 1.1.72
Uri context does not avoid query strings pending in HTML5 href attributes
I also tried using
<a href="${'http://www.google.com?a=1&b=2&c=3' @ context='uri'}">explicit uri context</a>
But it fails to escape the & characters, which leads to invalid HTML5.
<a href="http://www.google.com?a=1&b=2&c=3">explicit uri context</a>
Validation result as HTML5:
Error line 70, column 35: & did not start a symbolic link. (& probably should have been escaped as &.)
<a href="http://www.google.com?a=1&b=2&c=3">explicit uri context</a>
Html context correctly displays links with multiple request parameters in href attributes
It seems the only context that I could use here at the moment is html ( text doubles & twice, just like attribute )
<a href="${'http://www.google.com?a=1&b=2&c=3' @ context='html'}">explicit html context</a>
gives
<a href="http://www.google.com?a=1&b=2&c=3">explicit html context</a>
Switching to this context will allow me to get the correct value in href, as shown by the browser. However, it does not seem to have the correct semantics.
To quote the html context description from the Sightly spec :
Use this if you want to output HTML - Removes markup that may contain XSS risks