How can I encode Javascript snippets in widget.jsp?

Question

Hi

I use a lot of Javascript in custom components. Therefor I use custom properties that I added to the custom component's dialog.

I've found that all properties provided by the user via the component's dialog are encoded in the JSP:

name="${guide:encodeForHtmlAttr(guideField.name,xssAPI)}"

com.adobe.aemds.guide.taglibs.GuideELUtils provides

encodeForHtml(String str, XSSAPI xssapi)

encodeForHtmlAttr(String str, XSSAPI xssapi)

but does not provide methods for other encoding recommended by https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project

How can I protect against XSS using the aem toolset?

Thank you,

Urs

anshikagarwal · Accepted Answer

Hi,I guessxssAPI.encodeForJSString("") is what you are looking for.https://docs.adobe.com/docs/en/cq/5-6-1/javadoc/com/adobe/granite/xss/XSSAPI.html#encodeForJSString(java.lang.String)Thanks,Anshika

anshikagarwal · Answer

Hi Urs,The example you gave in your first comment already had the xssAPI instance so I assumed you already have access to it.However, if you don't, you could either include <%@include file="/libs/granite/ui/global.jsp" %> or alternatively add <%@taglib prefix="cq" uri="http://www.day.com/taglibs/cq/1.0" %>in your jsp.And in case you are asking how to use it within the script in your jsp, attaching a sample below :Hope that helps.Thanks,Anshika

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded