Investigating
Include accessibility-related attributes in XSSProtection configuration
| Resumen de la solicitud de mejora de funciones (RFE): | Currently, AEM’s XSSProtection configuration (/libs/cq/xssprotection/config.xml) does not allow several accessibility-related attributes such as aria-label, aria-hidden, role, and tabindex. We propose including these attributes by default in the configuration to improve accessibility support and reduce the need for overlays or custom configurations. |
| Caso de uso: |
Developers using HTL expressions like: ${property @ context='html'} cannot render accessibility attributes defined in component properties, since they are filtered by the XSSProtection mechanism. This limits the ability to build fully accessible components following WCAG and ARIA standards. |
| Comportamiento actual/experimentado: | When rendering properties that contain ARIA or accessibility-related attributes, these attributes are removed by XSSProtection because they are not listed in config.xml. The only current workaround is to overlay /libs/cq/xssprotection/config.xml into /apps, which may cause maintenance issues with future updates. |
| Comportamiento mejorado/esperado: | AEM should include the attributes aria-label, aria-hidden, role, and tabindex (and potentially other accessibility-related attributes) in the default XSSProtection configuration, allowing them to be safely rendered through HTL without requiring overlay. |
| Detalles del entorno (versión de AEM, Service Pack y cualquier otra especificación, si corresponde): |
AEM as a Cloud Service Issue reproducible in both Author and Publish environments. Core Components and custom components affected. |
| Nombre del cliente o de la organización: | TELEFONICA ESPANA |
| Captura de pantalla (si corresponde): | N/A |
| Paquete de código (si corresponde) | Not required – issue reproducible with any component rendering an HTL property with @2941342='html' containing ARIA attributes. |