跨站点脚本保护已关闭
Cross site scripting protection turned off
我在演示 We.Retail AEM 项目中看到了这段代码:
<template
data-sly-template.include="${@ categories='Client Library categories', mode='optional: JS or CSS, case-insensitve'}"
data-sly-use.clientlib="${'libs.granite.sightly.templates.ClientLibUseObject' @ categories=categories, mode=mode}">
${clientlib.include @ context='unsafe'}
</template>
谁能帮我理解在这种情况下关闭 XSS 保护的目的是什么?
提前致谢!
HTL 具有内置 XSS 保护。
当您使用context = 'unsafe'时,它会完全禁用转义和XSS 保护。一旦 'XSS' 保护被禁用,您的站点可能容易受到跨站点脚本的攻击。
这是 HTL 优于传统 JSP.
的原因之一
话虽如此,但有时 HTL 提供的其他上下文 none 会满足您的需要,使用 unsafe 上下文将是最后的选择。您发布的代码片段就是这样的一个例子。
您正在将参数(类别和模式)传递给 java class (ClientLibUseObject.java),它初始化 BINDINGS_CATEGORIES 和 BINDINGS_MODE,然后是 include 方法被调用,将这些参数写入 com.adobe.granite.ui.clientlibs.HtmlLibraryManager 对象。
HtmlLibraryManager 提供的方法包括存储在存储库中的 js/css 文件并解析类别和依赖项。在可用上下文列表中,没有任何内容可以满足此用例,因此他们使用了 unsafe.
public class ClientLibUseObject implements Use {
private static final String BINDINGS_CATEGORIES = "categories";
private static final String BINDINGS_MODE = "mode";
private HtmlLibraryManager htmlLibraryManager = null;
private String[] categories;
private String mode;
private SlingHttpServletRequest request;
private PrintWriter out;
private Logger log;
public void init(Bindings bindings) {
Object categoriesObject = bindings.get(BINDINGS_CATEGORIES);
log = (Logger) bindings.get(SlingBindings.LOG);
if (categoriesObject != null) {
if (categoriesObject instanceof Object[]) {
Object[] categoriesArray = (Object[]) categoriesObject;
categories = new String[categoriesArray.length];
int i = 0;
for (Object o : categoriesArray) {
if (o instanceof String) {
categories[i++] = ((String) o).trim();
}
}
} else if (categoriesObject instanceof String) {
categories = ((String) categoriesObject).split(",");
int i = 0;
for (String c : categories) {
categories[i++] = c.trim();
}
}
if (categories != null && categories.length > 0) {
mode = (String) bindings.get(BINDINGS_MODE);
request = (SlingHttpServletRequest) bindings.get(SlingBindings.REQUEST);
SlingScriptHelper sling = (SlingScriptHelper) bindings.get(SlingBindings.SLING);
htmlLibraryManager = sling.getService(HtmlLibraryManager.class);
}
}
}
public String include() {
StringWriter sw = new StringWriter();
try {
if (categories == null || categories.length == 0) {
log.error("'categories' option might be missing from the invocation of the /libs/granite/sightly/templates/clientlib.html" +
"client libraries template library. Please provide a CSV list or an array of categories to include.");
} else {
PrintWriter out = new PrintWriter(sw);
if ("js".equalsIgnoreCase(mode)) {
htmlLibraryManager.writeJsInclude(request, out, categories);
} else if ("css".equalsIgnoreCase(mode)) {
htmlLibraryManager.writeCssInclude(request, out, categories);
} else {
htmlLibraryManager.writeIncludes(request, out, categories);
}
}
} catch (IOException e) {
log.error("Failed to include client libraries {}", categories);
}
return sw.toString();
}
}
可用列表 display contexts。
更多关于XSS and different ways XSS can be used to attack sites here
我在演示 We.Retail AEM 项目中看到了这段代码:
<template
data-sly-template.include="${@ categories='Client Library categories', mode='optional: JS or CSS, case-insensitve'}"
data-sly-use.clientlib="${'libs.granite.sightly.templates.ClientLibUseObject' @ categories=categories, mode=mode}">
${clientlib.include @ context='unsafe'}
</template>
谁能帮我理解在这种情况下关闭 XSS 保护的目的是什么?
提前致谢!
HTL 具有内置 XSS 保护。
当您使用context = 'unsafe'时,它会完全禁用转义和XSS 保护。一旦 'XSS' 保护被禁用,您的站点可能容易受到跨站点脚本的攻击。
这是 HTL 优于传统 JSP.
话虽如此,但有时 HTL 提供的其他上下文 none 会满足您的需要,使用 unsafe 上下文将是最后的选择。您发布的代码片段就是这样的一个例子。
您正在将参数(类别和模式)传递给 java class (ClientLibUseObject.java),它初始化 BINDINGS_CATEGORIES 和 BINDINGS_MODE,然后是 include 方法被调用,将这些参数写入 com.adobe.granite.ui.clientlibs.HtmlLibraryManager 对象。
HtmlLibraryManager 提供的方法包括存储在存储库中的 js/css 文件并解析类别和依赖项。在可用上下文列表中,没有任何内容可以满足此用例,因此他们使用了 unsafe.
public class ClientLibUseObject implements Use {
private static final String BINDINGS_CATEGORIES = "categories";
private static final String BINDINGS_MODE = "mode";
private HtmlLibraryManager htmlLibraryManager = null;
private String[] categories;
private String mode;
private SlingHttpServletRequest request;
private PrintWriter out;
private Logger log;
public void init(Bindings bindings) {
Object categoriesObject = bindings.get(BINDINGS_CATEGORIES);
log = (Logger) bindings.get(SlingBindings.LOG);
if (categoriesObject != null) {
if (categoriesObject instanceof Object[]) {
Object[] categoriesArray = (Object[]) categoriesObject;
categories = new String[categoriesArray.length];
int i = 0;
for (Object o : categoriesArray) {
if (o instanceof String) {
categories[i++] = ((String) o).trim();
}
}
} else if (categoriesObject instanceof String) {
categories = ((String) categoriesObject).split(",");
int i = 0;
for (String c : categories) {
categories[i++] = c.trim();
}
}
if (categories != null && categories.length > 0) {
mode = (String) bindings.get(BINDINGS_MODE);
request = (SlingHttpServletRequest) bindings.get(SlingBindings.REQUEST);
SlingScriptHelper sling = (SlingScriptHelper) bindings.get(SlingBindings.SLING);
htmlLibraryManager = sling.getService(HtmlLibraryManager.class);
}
}
}
public String include() {
StringWriter sw = new StringWriter();
try {
if (categories == null || categories.length == 0) {
log.error("'categories' option might be missing from the invocation of the /libs/granite/sightly/templates/clientlib.html" +
"client libraries template library. Please provide a CSV list or an array of categories to include.");
} else {
PrintWriter out = new PrintWriter(sw);
if ("js".equalsIgnoreCase(mode)) {
htmlLibraryManager.writeJsInclude(request, out, categories);
} else if ("css".equalsIgnoreCase(mode)) {
htmlLibraryManager.writeCssInclude(request, out, categories);
} else {
htmlLibraryManager.writeIncludes(request, out, categories);
}
}
} catch (IOException e) {
log.error("Failed to include client libraries {}", categories);
}
return sw.toString();
}
}
可用列表 display contexts。
更多关于XSS and different ways XSS can be used to attack sites here