Enhancement
Nice to have
#24750
TL-Script Macros: Allow dynamic content in protected attributes (SafeHTML)
TL-Script macros ensure that, for example, no Java script can be injected into the page. Currently this is achieved by not allowing dynamic content on attributes that are monitored by SafeHTML. Static content is checked when parsing the script.
Improvement
One would like to create e.g. URLs of href attributes dynamically. Therefore dynamic content should be allowed also in protected attributes. Protected attributes that contain dynamic content should then be dynamically checked for security during rendering.
A macro
x -> {{<a href="javascript:alert('xxx');">click</a>}}
already leads to an error during parsing that disallows JavaScript in href.
A macro
x -> {{<a href="{concat("java", "script:alert('xxx');")}">click</a>}}
is accepted by the parser, but results in an error on the page when rendering.
Test
- test.com.top_logic.model.search.expr.TestSearchExpression.testDynamicValuesInURL()
- test.com.top_logic.model.search.expr.TestSearchExpression.testHtmlSafetyDynamic()
- test.com.top_logic.model.search.expr.TestSearchExpression.testHtmlSafety()