[SITES-40889] [Core Components] Add support in Fragment component for CFVT#3015
[SITES-40889] [Core Components] Add support in Fragment component for CFVT#3015alexandru-stancioiu wants to merge 17 commits intomainfrom
Conversation
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| String templateId = request.getParameter("templateId"); | ||
| String variation = request.getParameter("variation"); | ||
| response.setContentType("text/html;charset=UTF-8"); | ||
| response.getWriter().write(buildVcfHtml(fragmentId, templateId, variation)); |
Check warning
Code scanning / CodeQL
Cross-site scripting
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 20 days ago
In general, to fix cross-site scripting in servlets, all user-controlled data that is written into HTML should be encoded using a well-established, context-appropriate escaping library (for example, OWASP Java Encoder or Apache Commons Text) rather than handcrafted string replacement. This ensures correct and complete escaping for the specific HTML context and makes static analysis tools recognize the data as properly sanitized.
For this file, the best fix is to replace the custom escapeHtml implementation with one that delegates to a standard encoding routine from a known library, without changing the public behavior of the servlet. We should also keep the method signature so the rest of the code remains unchanged. A practical choice, without modifying other imports, is to add an import for org.apache.commons.text.StringEscapeUtils and implement escapeHtml by calling StringEscapeUtils.escapeHtml4(input). That encoder correctly escapes characters necessary for safe inclusion in HTML, including both single and double quotes, and is widely recognized. The changes are limited to:
- Adding an import at the top of
MockVCFServlet.javafororg.apache.commons.text.StringEscapeUtils. - Replacing the body of
escapeHtml(lines 131–138) with a call toStringEscapeUtils.escapeHtml4(input)while preserving the null check and method signature.
No other methods or call sites need to change, since appendRow and buildVcfHtml already use escapeHtml consistently.
| @@ -24,6 +24,7 @@ | ||
| import org.apache.sling.api.servlets.SlingAllMethodsServlet; | ||
| import org.apache.sling.servlets.annotations.SlingServletPaths; | ||
| import org.osgi.service.component.annotations.Component; | ||
| import org.apache.commons.text.StringEscapeUtils; | ||
|
|
||
| /** | ||
| * Local-development mock for the Content Fragment Visualization API. | ||
| @@ -132,10 +133,7 @@ | ||
| if (input == null) { | ||
| return ""; | ||
| } | ||
| return input.replace("&", "&") | ||
| .replace("<", "<") | ||
| .replace(">", ">") | ||
| .replace("\"", """); | ||
| return StringEscapeUtils.escapeHtml4(input); | ||
| } | ||
|
|
||
| private static String escapeJson(String input) { |
| @@ -202,6 +202,11 @@ | ||
| <artifactId>org.apache.sling.servlets.annotations</artifactId> | ||
| <version>1.2.6</version> | ||
| </dependency> | ||
| </dependencies> | ||
| <dependency> | ||
| <groupId>org.apache.commons</groupId> | ||
| <artifactId>commons-text</artifactId> | ||
| <version>1.15.0</version> | ||
| </dependency> | ||
| </dependencies> | ||
|
|
||
| </project> |
| Package | Version | Security advisories |
| org.apache.commons:commons-text (maven) | 1.15.0 | None |
There was a problem hiding this comment.
@alexandru-stancioiu , this may need to be fixed because it's likely getting deployed to AEM CS instances.
There was a problem hiding this comment.
This is a mock servlet used for ITs
There was a problem hiding this comment.
yeah, since it is a mock servlet used for ITs, it won't get deployed to AEMaaCS
...ing/it/it.core/src/main/java/com/adobe/cq/wcm/core/components/it/support/MockVCFServlet.java
Fixed
Show fixed
Hide fixed
|
@alexandru-stancioiu , it would be nice to add an example if possible for this cool new feature in the examples subproject so that it would show up here https://www.aemcomponents.dev/content/core-components-examples/library/core-content/content-fragment.html . Then people can see it already shortly after the new release. |
…ialog The dynamically-populated Coral Select for VCF templates has no server-side items, so Coral loses the stored JCR value on dialog load. Read the stored vcfTemplate from the component resource via an async fetch and use it as fallback when populating the dropdown. Added Karma/Jasmine tests for VCF template retention scenarios. Made-with: Cursor
alexandru-stancioiu
force-pushed
the
sites_40889
branch
3 times, most recently
from
13cfd81 to
86df6e9
Compare
Add a VCF display mode example to the Content Fragment examples page, showing the component configured with displayMode=vcf and a template. The visual preview requires AEM as a Cloud Service. Made-with: Cursor
|
Unfortunately we cannot make the visual preview on the aemcomponents.dev website work because we cannot serve any template client-side, it works only on AEMaaCS. |
- Rename getVcfPublishUrl to getVcfRenderUrl
- Author: use preview API /sites/cf/fragments/{id}/preview
- Publish: use delivery URL /contentFragments/{templateId}/{id}/{variation}.html
- HTL uses model-generated URL via data-vcf-url attribute instead of hardcoding
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Use shadow DOM to isolate VCF template HTML and CSS from the host page, preventing style leakage in both directions. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Cover the buildAuthorPreviewUrl() code path with tests that set the run mode to "author", verifying the preview API URL format with template, variation, master variation, and without template. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
- Add site clientlib (vcf.js) for View as Published / publish rendering with shadow DOM isolation and IMS Bearer token for author preview API - Add vcfTemplatesApiBase and isVcfAuthRequired to ContentFragment model to expose templates API URL and auth flag via data attributes in HTL - Refactor editDialog.js to read templates API from DOM/HTML fallback instead of hardcoding; use $.when() for deferred coordination - Refactor vcfRenderer.js to read URL from data-cmp-contentfragment-vcf-url attribute (model-generated) instead of constructing it client-side - Add hidden div with vcfTemplatesApiBase for unconfigured components so dialog can discover the templates API on pages with no VCF elements - Refactor mockvcf.js: extract rewriteUrlIfNeeded(), separate templates API base collection from VCF URL scan, add XHR interceptor for Granite HTTP layer, guard duplicate MutationObservers - Extract VCF_DISPLAY_MODE constant and isVcfMode() helper in Java model - Clear LOADING_ATTR on success and error in vcfRenderer.js - Guard attachShadow against double-call in vcf.js Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Replace hardcoded VCF URL constants in ContentFragmentImpl with injected VcfUrlProvider OSGi service from cq-dam-cfm-api. The service returns URLs based on the FT_CFVS_GA feature toggle state. - Add cq-dam-cfm-api 1.4.61-SNAPSHOT dependency and vcf package import - Inject VcfUrlProvider in ContentFragmentImpl - Add GA URL tests (FT enabled) alongside existing legacy URL tests - Register mock VcfUrlProvider in AbstractContentFragmentTest Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
|
4 participants
Fixes #1, Fixes #2