onclick is getting removed | Community
Skip to main content
T
test1234567
Level 6
April 6, 2021
Solved

onclick is getting removed

  • April 6, 2021
  • 2 replies
  • 1357 views

Hello All - I have added the below onclick event via crx (not added via RTE) while the page is loading, unclick is not getting loaded. if it is removed from RTE, we can says due to XSS, it is getting removed but not sure why it is removed in this case. Can someone shed some light on this?

 

<a  onclick="test(event);" href="https://www.fitbit.com/us/legal/trademark-list">https://www.test.com</a>

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Asutosh_Jena_

Hi @test1234567 

This is removed by XSS protection rule which is evaluated during runtime. So even if you are setting the value in crx/de, while rendering the content the XSS evaluation takes place which is finding this as a custom attribute with value and is removing it from the markup. You must be getting an error similar to the below:

The onclick attribute had a value of "something". This value could not be accepted for security reasons. We have chosen to remove this attribute from the tag and leave everything else in place so that we could process the input.

 

If you want to allow this tag to be present in the markup, you will need to enable the tag with required value or need to use a regex pattern to allow multiple values under

/apps/cq/xssprotection/config.xml and it will start working.

 

https://experienceleague.adobe.com/docs/experience-manager-64/developing/introduction/security.html?lang=en#use-request-session

 

Hope this helps!

Thanks!

2 replies

Umesh_Thakur
Community Advisor
Umesh_ThakurCommunity Advisor
Community Advisor
April 6, 2021

Can you check once whether this has been saved in the crx or not ?

Though it is saved, it should be handled in other recommended way like:

author that anchor tag(<a ) with ID and in client library get that html element by id and do what ever you want.

this will be a good way to accomplish the task.

 

Hope this will help.

Umesh Thakur

    Asutosh_Jena_
    Community Advisor
    Asutosh_Jena_Community AdvisorAccepted solution
    Community Advisor
    April 6, 2021

    Hi @test1234567 

    This is removed by XSS protection rule which is evaluated during runtime. So even if you are setting the value in crx/de, while rendering the content the XSS evaluation takes place which is finding this as a custom attribute with value and is removing it from the markup. You must be getting an error similar to the below:

    The onclick attribute had a value of "something". This value could not be accepted for security reasons. We have chosen to remove this attribute from the tag and leave everything else in place so that we could process the input.

     

    If you want to allow this tag to be present in the markup, you will need to enable the tag with required value or need to use a regex pattern to allow multiple values under

    /apps/cq/xssprotection/config.xml and it will start working.

     

    https://experienceleague.adobe.com/docs/experience-manager-64/developing/introduction/security.html?lang=en#use-request-session

     

    Hope this helps!

    Thanks!

      Terms & ConditionsAccessibility statement

      Loading footer...