跨站点脚本保护已关闭

Cross site scripting protection turned off

我在演示 We.Retail AEM 项目中看到了这段代码:

<template 
  data-sly-template.include="${@ categories='Client Library categories', mode='optional: JS or CSS, case-insensitve'}"
  data-sly-use.clientlib="${'libs.granite.sightly.templates.ClientLibUseObject' @ categories=categories, mode=mode}">
    ${clientlib.include @ context='unsafe'}
</template>

谁能帮我理解在这种情况下关闭 XSS 保护的目的是什么?

提前致谢!

HTL 具有内置 XSS 保护。

当您使用context = 'unsafe'时,它会完全禁用转义和XSS 保护。一旦 'XSS' 保护被禁用,您的站点可能容易受到跨站点脚本的攻击。 这是 HTL 优于传统 JSP.

的原因之一

话虽如此,但有时 HTL 提供的其他上下文 none 会满足您的需要,使用 unsafe 上下文将是最后的选择。您发布的代码片段就是这样的一个例子。 您正在将参数(类别和模式)传递给 java class (ClientLibUseObject.java),它初始化 BINDINGS_CATEGORIESBINDINGS_MODE,然后是 include 方法被调用,将这些参数写入 com.adobe.granite.ui.clientlibs.HtmlLibraryManager 对象。

HtmlLibraryManager 提供的方法包括存储在存储库中的 js/css 文件并解析类别和依赖项。在可用上下文列表中,没有任何内容可以满足此用例,因此他们使用了 unsafe.

public class ClientLibUseObject implements Use {

    private static final String BINDINGS_CATEGORIES = "categories";
    private static final String BINDINGS_MODE = "mode";

    private HtmlLibraryManager htmlLibraryManager = null;
    private String[] categories;
    private String mode;
    private SlingHttpServletRequest request;
    private PrintWriter out;
    private Logger log;

    public void init(Bindings bindings) {
        Object categoriesObject = bindings.get(BINDINGS_CATEGORIES);
        log = (Logger) bindings.get(SlingBindings.LOG);
        if (categoriesObject != null) {
            if (categoriesObject instanceof Object[]) {
                Object[] categoriesArray = (Object[]) categoriesObject;
                categories = new String[categoriesArray.length];
                int i = 0;
                for (Object o : categoriesArray) {
                    if (o instanceof String) {
                        categories[i++] = ((String) o).trim();
                    }
                }
            } else if (categoriesObject instanceof String) {
                categories = ((String) categoriesObject).split(",");
                int i = 0;
                for (String c : categories) {
                    categories[i++] = c.trim();
                }
            }
            if (categories != null && categories.length > 0) {
                mode = (String) bindings.get(BINDINGS_MODE);
                request = (SlingHttpServletRequest) bindings.get(SlingBindings.REQUEST);
                SlingScriptHelper sling = (SlingScriptHelper) bindings.get(SlingBindings.SLING);
                htmlLibraryManager = sling.getService(HtmlLibraryManager.class);
            }
        }
    }

    public String include() {
        StringWriter sw = new StringWriter();
        try {
            if (categories == null || categories.length == 0)  {
                log.error("'categories' option might be missing from the invocation of the /libs/granite/sightly/templates/clientlib.html" +
                        "client libraries template library. Please provide a CSV list or an array of categories to include.");
            } else {
                PrintWriter out = new PrintWriter(sw);
                if ("js".equalsIgnoreCase(mode)) {
                    htmlLibraryManager.writeJsInclude(request, out, categories);
                } else if ("css".equalsIgnoreCase(mode)) {
                    htmlLibraryManager.writeCssInclude(request, out, categories);
                } else {
                    htmlLibraryManager.writeIncludes(request, out, categories);
                }
            }
        } catch (IOException e) {
            log.error("Failed to include client libraries {}", categories);
        }
        return sw.toString();
    }
}

可用列表 display contexts

更多关于XSS and different ways XSS can be used to attack sites here