-
Notifications
You must be signed in to change notification settings - Fork 3
Cross Site Scripting Helpers
ironsites
ironsites help to expose the great usefulness of XSSAPI and XSSFilter.
Well-travelled CQ developers will have frequently been to arbitrarily parse/filter out HTML/CSS/etc for various valid and invalid reasons. Well you could still do that, or you could use an AntiSamy policy file with granular rules. That's up to you, but ironsites makes the latter course of action easier on the developer.
<isx:filterHTML policy="xss/ripout-javascript-from-authors.xml">
<cq:text property="text"/>
</isx:filterHTML>
In the above, the policy attribute is a relative path to a AntiSamy policy file stored in the JCR. This file defines granular rules for santizing valid markup -- this is very useful in cases where you have a clever author or are supporting User Generated Content (UGC).
This is fairly straight-forward, but XSSUtil has static method wrappers around XSSAPI service methods. Note the pageContext parameter. The below will result in equivalent output.
...
<span><%=xssAPI.encodeForHTMLAttr("thanks & godbye")%></span>
...
<span>${xss:encodeForHTMLAttr("thanks & godbye", pageContext)}</span>
...