whitelist aria label in xss protection

Forum|Forum|5 years ago
November 20, 2020
2 replies
2030 views

Hi there,

Our requirement is to use "aria-label" attribute in anchor tag in source edit of RTE component. We have also tried by overlaying the "xssprotection/config.xml" and adding this attribute to the tag but still unable to resolve the issue.

changes we have done in config.xml:

<attribute name="href"/>
<attribute name="aria-label">
<regexp-list>
<regexp value="anything"/>
</regexp-list>
</attribute>
<attribute name="onFocus"/>
<attribute name="onBlur"/>
<attribute name="nohref">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="rel">
<literal-list>
<literal value="nofollow"/>
</literal-list>
</attribute>
<attribute name="name"/>
<attribute name="target" />
<attribute name="onclick">
<literal-list>
<literal value="CQ_Analytics.Sitecatalyst.customTrack(this)"/>
</literal-list>
</attribute>
<attribute name="adhocenable">
<literal-list>
<literal value="true"/>
<literal value="false"/>
</literal-list>
</attribute>
<attribute name="adhocevents">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="adhocevars">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>

<attribute name="data-nl-type">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-landingpage">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-landingpagelabel">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-landingpagedynamicservice">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-service">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-servicelabel">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
</tag>

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by shelly-goel

@ravi_shankerj14 To be able to allow a new html attribute in richtext sourceedit, whitelisting it in the xssprotection config should make it work. It works for me when I tried it in WKND pages with new attribute added in /apps/cq/xssprotection/config.xml

Few things to try at your end:

1. Try adding just the aria-label attribute under a tag in libs xssprotection config and test if that works. If not, you can also try checking on sample WKND content (it might not be working due to richtext customization or project specific code/ content)

2. If that works then check if the overlay is correct in apps, it might be worth checking if you have other changes in this overlay that works but aria-label doesn't or none of the custom changes work. There might be issues with the overlaid file.

arunpatidar

Community Advisor

Hi,

pleasefollow the below article to add new attribute in link plugin

http://experience-aem.blogspot.com/2017/09/aem-63-touch-ui-extend-rich-text-link-dialog-add-rel-select.html

Arun Patidar

shelly-goel

Accepted solution

Adobe Employee

@ravi_shankerj14 To be able to allow a new html attribute in richtext sourceedit, whitelisting it in the xssprotection config should make it work. It works for me when I tried it in WKND pages with new attribute added in /apps/cq/xssprotection/config.xml

Few things to try at your end:

1. Try adding just the aria-label attribute under a tag in libs xssprotection config and test if that works. If not, you can also try checking on sample WKND content (it might not be working due to richtext customization or project specific code/ content)

2. If that works then check if the overlay is correct in apps, it might be worth checking if you have other changes in this overlay that works but aria-label doesn't or none of the custom changes work. There might be issues with the overlaid file.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded