我在演示 We.Retail AEM 项目中遇到了这段代码:
<template
data-sly-template.include="${@ categories='Client Library categories', mode='optional: JS or CSS, case-insensitve'}"
data-sly-use.clientlib="${'libs.granite.sightly.templates.ClientLibUseObject' @ categories=categories, mode=mode}">
${clientlib.include @ context='unsafe'}
</template>
谁能帮我理解在这种情况下关闭 XSS 保护的目的是什么?
提前致谢!
HTL 具有内置XSS保护。
使用时context = 'unsafe',它会完全禁用转义和 XSS 保护。一旦禁用“XSS”保护,您的站点可能容易受到跨站点脚本的攻击。这是 HTL 优于传统 JSP 的原因之一。
话虽如此,有时 HTL 提供的其他上下文都不适合您的需求,而使用unsafe上下文将是最后的手段。您发布的片段就是这样一个例子。您将参数(类别和模式)传递给 java 类(ClientLibUseObject.java),该类进行初始化BINDINGS_CATEGORIES,BINDINGS_MODE然后include调用将这些参数写入com.adobe.granite.ui.clientlibs.HtmlLibraryManager对象的方法。
HtmlLibraryManager提供包含存储在存储库中的 js/css 文件并解析类别和依赖项的方法。在可用的上下文列表中,没有任何内容可以满足此用例,因此他们使用了unsafe.
public class ClientLibUseObject implements Use {
private static final String BINDINGS_CATEGORIES = "categories";
private static final String BINDINGS_MODE = "mode";
private HtmlLibraryManager htmlLibraryManager = null;
private String[] categories;
private String mode;
private SlingHttpServletRequest request;
private PrintWriter out;
private Logger log;
public void init(Bindings bindings) {
Object categoriesObject = bindings.get(BINDINGS_CATEGORIES);
log = (Logger) bindings.get(SlingBindings.LOG);
if (categoriesObject != null) {
if (categoriesObject instanceof Object[]) {
Object[] categoriesArray = (Object[]) categoriesObject;
categories = new String[categoriesArray.length];
int i = 0;
for (Object o : categoriesArray) {
if (o instanceof String) {
categories[i++] = ((String) o).trim();
}
}
} else if (categoriesObject instanceof String) {
categories = ((String) categoriesObject).split(",");
int i = 0;
for (String c : categories) {
categories[i++] = c.trim();
}
}
if (categories != null && categories.length > 0) {
mode = (String) bindings.get(BINDINGS_MODE);
request = (SlingHttpServletRequest) bindings.get(SlingBindings.REQUEST);
SlingScriptHelper sling = (SlingScriptHelper) bindings.get(SlingBindings.SLING);
htmlLibraryManager = sling.getService(HtmlLibraryManager.class);
}
}
}
public String include() {
StringWriter sw = new StringWriter();
try {
if (categories == null || categories.length == 0) {
log.error("'categories' option might be missing from the invocation of the /libs/granite/sightly/templates/clientlib.html" +
"client libraries template library. Please provide a CSV list or an array of categories to include.");
} else {
PrintWriter out = new PrintWriter(sw);
if ("js".equalsIgnoreCase(mode)) {
htmlLibraryManager.writeJsInclude(request, out, categories);
} else if ("css".equalsIgnoreCase(mode)) {
htmlLibraryManager.writeCssInclude(request, out, categories);
} else {
htmlLibraryManager.writeIncludes(request, out, categories);
}
}
} catch (IOException e) {
log.error("Failed to include client libraries {}", categories);
}
return sw.toString();
}
}
可用显示上下文列表。