[SITES-40889] [Core Components] Add support in Fragment component for CFVT#3015
[SITES-40889] [Core Components] Add support in Fragment component for CFVT#3015alexandru-stancioiu wants to merge 11 commits intomainfrom
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| String templateId = request.getParameter("templateId"); | ||
| String variation = request.getParameter("variation"); | ||
| response.setContentType("text/html;charset=UTF-8"); | ||
| response.getWriter().write(buildVcfHtml(fragmentId, templateId, variation)); |
Check warning
Code scanning / CodeQL
Cross-site scripting Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 days ago
In general, to fix cross-site scripting in servlets, all user-controlled data that is written into HTML should be encoded using a well-established, context-appropriate escaping library (for example, OWASP Java Encoder or Apache Commons Text) rather than handcrafted string replacement. This ensures correct and complete escaping for the specific HTML context and makes static analysis tools recognize the data as properly sanitized.
For this file, the best fix is to replace the custom escapeHtml implementation with one that delegates to a standard encoding routine from a known library, without changing the public behavior of the servlet. We should also keep the method signature so the rest of the code remains unchanged. A practical choice, without modifying other imports, is to add an import for org.apache.commons.text.StringEscapeUtils and implement escapeHtml by calling StringEscapeUtils.escapeHtml4(input). That encoder correctly escapes characters necessary for safe inclusion in HTML, including both single and double quotes, and is widely recognized. The changes are limited to:
- Adding an import at the top of
MockVCFServlet.javafororg.apache.commons.text.StringEscapeUtils. - Replacing the body of
escapeHtml(lines 131–138) with a call toStringEscapeUtils.escapeHtml4(input)while preserving the null check and method signature.
No other methods or call sites need to change, since appendRow and buildVcfHtml already use escapeHtml consistently.
| @@ -24,6 +24,7 @@ | ||
| import org.apache.sling.api.servlets.SlingAllMethodsServlet; | ||
| import org.apache.sling.servlets.annotations.SlingServletPaths; | ||
| import org.osgi.service.component.annotations.Component; | ||
| import org.apache.commons.text.StringEscapeUtils; | ||
|
|
||
| /** | ||
| * Local-development mock for the Content Fragment Visualization API. | ||
| @@ -132,10 +133,7 @@ | ||
| if (input == null) { | ||
| return ""; | ||
| } | ||
| return input.replace("&", "&") | ||
| .replace("<", "<") | ||
| .replace(">", ">") | ||
| .replace("\"", """); | ||
| return StringEscapeUtils.escapeHtml4(input); | ||
| } | ||
|
|
||
| private static String escapeJson(String input) { |
| @@ -202,6 +202,11 @@ | ||
| <artifactId>org.apache.sling.servlets.annotations</artifactId> | ||
| <version>1.2.6</version> | ||
| </dependency> | ||
| </dependencies> | ||
| <dependency> | ||
| <groupId>org.apache.commons</groupId> | ||
| <artifactId>commons-text</artifactId> | ||
| <version>1.15.0</version> | ||
| </dependency> | ||
| </dependencies> | ||
|
|
||
| </project> |
| Package | Version | Security advisories |
| org.apache.commons:commons-text (maven) | 1.15.0 | None |
There was a problem hiding this comment.
@alexandru-stancioiu , this may need to be fixed because it's likely getting deployed to AEM CS instances.
There was a problem hiding this comment.
This is a mock servlet used for ITs
There was a problem hiding this comment.
yeah, since it is a mock servlet used for ITs, it won't get deployed to AEMaaCS
...ing/it/it.core/src/main/java/com/adobe/cq/wcm/core/components/it/support/MockVCFServlet.java
Fixed
Show fixed
Hide fixed
|
@alexandru-stancioiu , it would be nice to add an example if possible for this cool new feature in the examples subproject so that it would show up here https://www.aemcomponents.dev/content/core-components-examples/library/core-content/content-fragment.html . Then people can see it already shortly after the new release. |
…ialog The dynamically-populated Coral Select for VCF templates has no server-side items, so Coral loses the stored JCR value on dialog load. Read the stored vcfTemplate from the component resource via an async fetch and use it as fallback when populating the dropdown. Added Karma/Jasmine tests for VCF template retention scenarios. Made-with: Cursor
alexandru-stancioiu
force-pushed
the
sites_40889
branch
3 times, most recently
from
13cfd81 to
86df6e9
Compare
Add a VCF display mode example to the Content Fragment examples page, showing the component configured with displayMode=vcf and a template. The visual preview requires AEM as a Cloud Service. Made-with: Cursor
|
|
Unfortunately we cannot make the visual preview on the aemcomponents.dev website work because we cannot serve any template client-side, it works only on AEMaaCS. |
3 participants
Fixes #1, Fixes #2