XSS protection is filtering escaped html tags | Community
Skip to main content
frederik_witte
frederik_witte
March 5, 2019
Solved

XSS protection is filtering escaped html tags

  • March 5, 2019
  • 1 reply
  • 1491 views

Hey guys,

we have a scenario, in which we have a multifield, which contains richtext. Now this richtext gets saved in crx, and we need to apply it on a title attribute of a span. So the input looks something like this:

<span data-tooltip-ref="/path/to/rte/value"></span>

Which then gets passed through a model which should output this:

<span title="&lt;p&gt;Test&lt;&#47;p&gt;"></span>

Now the xss protection filters it out. We already overlayed cq/xssprotection/config.xml and included the attribute:

<tag name="span" action="validate">

  <attribute name="title">
       <regexp-list>
            <regexp value=".*"/>
       </regexp-list>
  </attribute>
</tag>

But that sadly doesn't work, it still gets filtered out by AEM. I even tried to put this config inside /libs/sling/xss and /libs/cq/xssprotection, without success.

Is AEM by default filtering out escaped HTML tags? How can I make this work?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Gaurav-Behl

Try specifying each character's HTML entity equivalent rather than .*

&lt;

&#47;

&gt;

Check if this helps -  Re: RTE Plugin modifying HTML || Removing JS functions like onClick=""

Re: links to ppt not working on OOB text component

1 reply

Gaurav-Behl
Gaurav-BehlAccepted solution
Level 10
March 5, 2019

Try specifying each character's HTML entity equivalent rather than .*

&lt;

&#47;

&gt;

Check if this helps -  Re: RTE Plugin modifying HTML || Removing JS functions like onClick=""

Re: links to ppt not working on OOB text component

Terms & ConditionsAccessibility statement

Loading footer...