data-sly-attribute.style is not working

adobe / htlengine

An HTL (Sightly) Interpreter/Compiler for Node.js

Apache License 2.0

47 stars 20 forks source link

data-sly-attribute.style is not working #201

Closed panec closed 4 years ago

panec commented 4 years ago

data-sly-attribute.style is not working as expected

This works

<a href="#whatever" style="color: ${colorName @ context='styleToken'};">Link</a>

while this does not work and returns no style attribute

<a href="#whatever" data-sly-attribute.style="color: ${colorName @ context='styleToken'};">Link</a>

Expected result is that both of them should behave the same.

tripodsan commented 4 years ago

thanks. I created a test: https://github.com/adobe/htlengine/pull/202 and look into it.

karollewandowski commented 4 years ago

on* and style attributes shouldn't be handled by data-sly-attribute block according to specification: https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md#223-attribute

Event handler attributes (on*) and the style attribute cannot be generated with data-sly-attribute due to the fact that none of the available display contexts can fully protect against XSS attacks given the range of values that these attributes can contain.

tripodsan commented 4 years ago

thanks @karollewandowski. closing as won't fix.