I am using:
var template = HtmlService.createTemplateFromFile("MyForm.html");
Which contains a variable:
<?= defaultInnerHtml ?>
And I am trying to assign THIS variable with the content of another HTML file:
template.defaultInnerHtml
= HtmlService.createHtmlOutputFromFile(
"MyInnerHtml.html").getContent();
But the contents of MyInnerHtml.html become encoded: the angle brackets are replaced with entities etc. I am trying just to stuff some more Html inside the MyForm.html file before serving that back.
I can't see how to get just the raw contents to show up in place of the variable in the template.
Any help?
To disable this contextual escaping of special characters, change your template so it embeds the value of the variable like this:
<?!= defaultInnerHtml ?>
Note the exclamation mark. This specifies force-printing, which directs the template engine to embed the contents of the variable verbatim.
From Google's documentation:
Contextual escaping is important if your script allows untrusted user input. By contrast, you’ll need to force-print if your scriptlet’s output intentionally contains HTML or scripts that you want to insert exactly as specified.
Related
In my AEM project, we have client-side dynamic variable functionality which checks for any strings that are formed inside of a ${ } wrapper. The dynamic variable values are coming from our cookies. Replacing this with a more friendly format that does not conflict with Sightly is not an option at the moment, so please don't tell me to do that :)
When creating an anchor tag in the source editor of the Text core component, I am setting the href as the following: href="/content/en/opt-in.html?hash=${/profile/hash}". The anti-Samy configuration is blocking the href attribute from being rendered on this element, but I have tried to add the following to the overlayed file /apps/cq/xssprotection/config.xml:
<regexp name="expressionURLWithSpecialCharacters" value="(\$\{(\w|\/|:)+\})"/>
<regexp-list>
<regexp name="onsiteURL"/>
<regexp name="offsiteURL"/>
<regexp name="expressionURL"/>
<regexp name="expressionURLWithSpecialCharacters"/>
</regexp-list>
^ inside of the <attribute name="href"> block of common-attributes. Is there something else I need to do in order to make this not be filtered out so that it can be correctly parsed by the global variable replacement? Thanks!
There are two issues here:
The RTE will encode your URL and turn hash=${/profile/hash} into hash=$%7B/profile/hash%7D when storing into JCR
Even if you pass 1, the expression you are trying to use will only match EXACTLY the URL of ${/profile/hash}. You would need to expand the expression to include everything else (scheme, domain/host, path, query etc.). Think onsiteURL and offsiteURL but allowing your expression as well in query parameters. Have a look at https://github.com/apache/sling-org-apache-sling-xss/blob/master/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java#L115 to get a starting point.
Have you tried adding disableXSSFiltering="{Boolean}true”?
Vlad, your second point was helpful in that I hadn't considered that one of the regular expressions in the XSS Protection configuration href attribute block needed to match the ${/profile/hash} in addition to the rest of the URL preceding and following it. Although to your first point, the RTE actually did save the special characters as-is into the JCR and did not encode them, probably since I was using the source editor mode and not the inline text editor.
What I ended up doing was creating a new regular expression as follows:
<regexp name="onsiteURLWithVariableExpression"
value="(?!\s*javascript(?::|:))(?:(?://(?:(?:(?:(?:\p{L}\p{M}*)|[\p{N}-._~])|(?:%\p{XDigit}\p{XDigit})|(?:[!$&'()*+,;=]))*#)?(?:\[(?:(?:(?:\p{XDigit}{1,4}:){6}(?:(?:\p{XDigit}{1,4}:\p{XDigit}{1,4})|(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])))|(?:::(?:\p{XDigit}{1,4}:){5}(?:(?:\p{XDigit}{1,4}:\p{XDigit}{1,4})|(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])))|(?:(?:\p{XDigit}{1,4}){0,1}::(?:\p{XDigit}{1,4}:){4}(?:(?:\p{XDigit}{1,4}:\p{XDigit}{1,4})|(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])))|(?:(?:(?:\p{XDigit}{1,4}:){0,1}\p{XDigit}{1,4})?::(?:\p{XDigit}{1,4}:){3}(?:(?:\p{XDigit}{1,4}:\p{XDigit}{1,4})|(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])))|(?:(?:(?:\p{XDigit}{1,4}:){0,2}\p{XDigit}{1,4})?::(?:\p{XDigit}{1,4}:){2}(?:(?:\p{XDigit}{1,4}:\p{XDigit}{1,4})|(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])))|(?:(?:(?:\p{XDigit}{1,4}:){0,3}\p{XDigit}{1,4})?::(?:\p{XDigit}{1,4}:){1}(?:(?:\p{XDigit}{1,4}:\p{XDigit}{1,4})|(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])))|(?:(?:(?:\p{XDigit}{1,4}:){0,4}\p{XDigit}{1,4})?::(?:(?:\p{XDigit}{1,4}:\p{XDigit}{1,4})|(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])))|(?:(?:(?:\p{XDigit}{1,4}:){0,5}\p{XDigit}{1,4})?::(?:\p{XDigit}{1,4}))|(?:(?:(?:\p{XDigit}{1,4}:){0,6}\p{XDigit}{1,4})?::))]|(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])|(?:(?:(?:\p{L}\p{M}*)|[\p{N}-._~])*|(?:%\p{XDigit}\p{XDigit})*|(?:[!$&'()*+,;=])*))(?::\p{Digit}+)?(?:/|(/(?:(?:\p{L}\p{M}*)|[\p{N}-._~]|%\p{XDigit}\p{XDigit}|[!$&'()*+,;=]|:|#)+/?)*))|(?:/(?:(?:(?:\p{L}\p{M}*)|[\p{N}-._~]|%\p{XDigit}\p{XDigit}|[!$&'()*+,;=]|:|#)+(?:/|(/(?:(?:\p{L}\p{M}*)|[\p{N}-._~]|%\p{XDigit}\p{XDigit}|[!$&'()*+,;=]|:|#)+/?)*))?)|(?:(?:(?:\p{L}\p{M}*)|[\p{N}-._~]|%\p{XDigit}\p{XDigit}|[!$&'()*+,;=]|:|#)+(?:/|(/(?:(?:\p{L}\p{M}*)|[\p{N}-._~]|%\p{XDigit}\p{XDigit}|[!$&'()*+,;=]|:|#)+)*)))?(?:\?(?:(?:\p{L}\p{M}*)|(\$\{(\w|\/|:)+\})|[\p{N}-._~]|%\p{XDigit}\p{XDigit}|[!$&'()*+,;=]|:|#|/|\?)*)?(?:#(?:(?:\p{L}\p{M}*)|[\p{N}-._~]|%\p{XDigit}\p{XDigit}|[!$&'()*+,;=]|:|#|/|\?)*)?"/>
which is just the onsiteURL with my original expressionURLWithSpecialCharacters: (\$\{(\w|\/|:)+\}) value added as a group in the query string parameter section. This enabled AEM to accept this as an href value in my anchor tag.
I appreciate everyone's help!
I am trying to implement facebook pixel via GTM, and I am hitting a few oddities.
I am implementing via custom html tag, and If i dont quote the variables, the gtm debugger shows them as google_tag_manager["<ID>"].macro(\'gtm123123123\')in the debugger, instead of the value itself. If i surround the use of the variable with quotes, I see the value itself.
If the {{User Email}} is translated into javascript code as i am seeing, I presume quoting isnt required?
If I need to quote, how would I write code like? em: ({{User Email}} || "").toLowerCase(),
Which is recommended? How to decide?
Also the debugger surrounds the entire tag in a '' is this expected?
In Custom HTML Tags you reference your Variables with the double brackets as per your example, without the quotes. e.g.
var userEmail = {{User Email}};
The Preview Mode Debug Panel is showing a non-executed version of your Custom HTML Tag. So the '' wrapped around your script in the panel output is expected. This is also why your Variables are not showing as values, instead you are seeing the internal GTM reference to your Variable.
If you need to test your Variable you can temporarily include a console.log(); To ensure your values is resolving correctly. e.g.
var userEmail = {{User Email}};
console.log(userEmail);
I have a template that takes parameters called "name" and "type".
I am currently attempting to call that template and pass it the transcluded contents of a page called Input1 that simply says:
name=Thing|type=Whatsit
I am calling the template this way: {{TemplateName|{{:Input1}}}}
However the template is simply receiving the text "name=Thing|type=Whatsit". It is not parsing the text as parameters, as if I had invoked it this way:
{{TemplateName|name=Thing|type=Whatsit}}
Is there any way to coax MediaWiki to see the page's contents as actual parameters, setting {{{name}}} and {{{type}}} on that basis? I had big plans for being able to use another template, Foreach, to create many calls to a template this way, passing it Input1, Input2, etc.
It is not possible to transclude the contents of a page to be used as parameters to a template.
MediaWiki first parses the structure of the template expression, i.e. the '{{', '|' and '}}'. Subsequently it expands the templates inside that expression, but if this expansion contains a '|' it is interpreted as a literal '|' and not a parameter separator. Hence the number of parameters can no longer change. This behavior used to be necessary to make the {{!}} template work, which was used to insert a literal '|' in a template parameter.
However, by changing the order of the transclusions, you can still do exactly what you want.
Template parameters can be used to construct the name of another template. So, you can pass the name of the template as a parameter to the page that contains your parameters: {{:Input1|TemplateName}}. Your 'Input' page would then be written as:
{{{{{1|Standard}}}
|Name=Input1
|Param1=Value1
|Param2=Value2
}}
So transcluding the page containing the parameters as {{:Input1|TableView}} would yield the desired result:
{{TableView
|Name=Input1
|Param1=Value1
|Param2=Value2
}}
I have this property which is HTML saved from a TinyMCE editor:
<?php echo h($person['Person']['CurriculumVitae']); ?>
How can I have it displayed on the web and rendered as RAW Html not a simple string?
Don't wrap the variable in h(), an alias for htmlspecialchars(), which escapes HTML entities:
<?php echo $person['Person']['CurriculumVitae']; ?>
Just to remove the h() might solve your issue but it will open possible security holes because the field that keeps the html from TinyMCE will now become a possible security hole.
I had the exact same issue and solved it by using http://htmlpurifier.org/ for the output of tinymce HTML. I've written also a CakePHP plugin around it. https://github.com/burzum/HtmlPurifier
HtmlPurifier will allow you to configure an allowed set of Html elements and even of it's attributes. So you could for example specify that href is allowed but class is not.
You'll need to create a config for HtmlPurifier that will match whatever you allow your users to do with TinyMce. It will remove all non allowed tags and attributes from the markup the user has entered.
Within Infobox at wikipedia some attributes values are also inside curly braces {{}}.. Some time they have lins also.. I need values inside the braces, which is displayed on wikipedia web page.
I read these are templates also.. Can anyone give me some link or guide me how do I deal with it?
Double-curly-braces {{}} define a call to some kind of magic word, variable, parser function, or template.. Help can be found on MediaWiki.org/.../Manual:Magic_words. The little lines that look like | are called pipes and are used to as separators that allow the wikicore parsing engine to define parameters that can be used with the magic word, variable, parser function, or template..
Hopefully this will help everyone who come across this very same issue.
Considering you will be parsing the infobox with PHP, you can use this:
http://www.mywiki.com/wiki/api.php?format=xml&action=query&titles=PAGE_TITLE_THAT_CONTAINS_AN_INFOBOX&prop=revisions&rvprop=content&rvgeneratexml=1
'rvgeneratexml' is being set to true (1), this will make the xml node <rev> generate an attribute "parsetree" containing the infobox information in XML format.
Then, in PHP, you can load the whole information (<api>everything including <rev></api>) with simpleXML:
$xml = simplexml_load_file($url);
Then you can load the template's information by getting the "parsetree" attribute and loading the string with:
$template = simplexml_load_string($xml->query->pages->page->revisions->rev->attributes()->parsetree);
$template = $template->template; // If more than 1 template, check template[0], [1], etc
Then, by using the correct structure, you can access the elements with something like:
if ($template->part[0]->name='name')
$film = $template->part[0]->value;
Then, $film will contain the film's name (->name is the parameter's name, and ->value is its value).