How to whitelist attributes with empty value in XSS config

Question

I'm trying to whitelist a custom attribute that is not supposed to have any value in XSS protection config so that when I enter something like

in text editor, the new-attribute does not get stripped. But it seems like all the attributes defined in the configs need a regex filter rule and therefore the attribute in the text editor needs a value assigned in order to not to be stripped. Is there any way I can achieve this? to have

and not get stripped?

santhosh_kumark · Accepted Answer

Hi @millionmeme ,

${properties.jcr:title @ context='elementName'}

You can overlay /libs/cq/xssprotection/config.xml to /apps and add your attributes in the config.

In the common-attributes section, add the following target attribute declaration.

<regexp-list>

</regexp-list>

</attbribute>

You can look at XSS Filter issue with the target attribute of the a tag

You can add context=unsafe but it disables escaping and XSS protection completely which can cause security issues.

Please read more about context on the blog: HTL Expression Language

Hope this helps.

Regards,

Santosh

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded