xssAPI.getValidHref returns empty if xssprotection/config.xml's anchor tag-rule is set to "filter" or "remove" | Community
Skip to main content
A
Anonymous
October 16, 2015
Solved

xssAPI.getValidHref returns empty if xssprotection/config.xml's anchor tag-rule is set to "filter" or "remove"

  • October 16, 2015
  • 6 replies
  • 2029 views

In the cq/xssprotection/config.xml I set the tag-rule for an anchor as "filter" or "remove" because we don't want to allow our content editors to insert links. From every input field we run the xssAPI.filterHTML() method. However, when set this way, the xssAPI.getValidHref() method that we use for authorized links always returns empty.

This allows getValidHref to work but allows links in unauthorized fields:

<tag name="a" action="validate">
            <attribute name="href"/>            
</tag>

 

This filters out unauthorized links, but doesn't allow getValidHref() to work:

<tag name="a" action="filter" /> or <tag name="a" action="remove" />

 

I'm looking to filter out anchor tags from almost all inputs, while at the same time, allow only valid paths for path selector inputs.

Any help would be greatly appreciated.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Sham_HC

As informed earlier. The output of authorInput & authorURL is right because

  1. filter: remove tags, but keep content
  2. validate: keep content as long as it passes rules
  3. remove: remove tag and contents

In case you are expecting url that begins with www valid (authorURL) & without www(authorInput) invalid then configure the regular expression in policy for valid urls.

6 replies

Sham_HC
Sham_HC
Level 10
October 16, 2015

Have you defined the policy for valid paths ?    If so provide us exact config copy. Per OWASP AntiSamy config (cq/xssprotection/config.xml)  behavior is that

  • when the tag-rule action is set to “validate” for given tag. Verify that its attributes and children elements follow rules defined in policy file.
  • when the tag-rule action is set to “filter” for given tag. Delete tag, but keep its child text.
Sham_HC
Sham_HC
Level 10
October 16, 2015

AFAIK xssAPI does not work that way.

A
Anonymous
October 16, 2015

Hello Sham,

My question is if it's possible to configure CQ to 1) remove anchor tags with the filterHTML method, while 2) at the same time allow the getValidHref method to also work. Because right now I am unable to get both working together.

Here's an example of what I want to do:

 

<h1><%= xssAPI.filterHTML("only text is allowed here, no HTML, no anchor tags") %></h1> <a href="<%= myXssAPI.getValidHref("http://www.adobe.com") %>">this link is OK</a> <a href="<%= myXssAPI.getValidHref("javascript:alert()") %>">this link is BAD</a>

 

Thank You!

Sham_HC
Sham_HCAccepted solution
Level 10
October 16, 2015

As informed earlier. The output of authorInput & authorURL is right because

  1. filter: remove tags, but keep content
  2. validate: keep content as long as it passes rules
  3. remove: remove tag and contents

In case you are expecting url that begins with www valid (authorURL) & without www(authorInput) invalid then configure the regular expression in policy for valid urls.

smacdonald2008
smacdonald2008
Level 10
October 16, 2015

Can you please post your code so we can see exactly what you are trying to do. 

A
Anonymous
October 16, 2015

I made very few changes to the xssprotection/config.xml and only in the <tag-rules /> section, see below.

I'm looking for this to work:

String authorInput = "<p>Author input <a href=\"http://wherever.com\">link</a></p>"; String authorURL = "http://www.wherever.com"; // should equal "<p>Author input</p>" String filteredAuthorInput = xssAPI.filterHTML(authorInput); // should equal "http://www.wherever.com"; String filteredAuthorURL = xssAPI.getValidHref(authorURL);

 

However, this is the actual results:

// filteredAuthorInput still has link, filteredAuthorURL is correct <tag name="a" action="validate"><attribute name="href"/></tag> // filteredAuthorInput is corrrect, but filteredAuthorURL is always empty <tag name="a" action="filter" /> or <tag name="a" action="remove" />

 

 

 

<tag-rules> <!-- You can mess with this stuff if you know what you're doing --> <tag name="html" action="remove" /> <tag name="body" action="remove" /> <tag name="meta" action="remove" /> <tag name="head" action="remove" /> <tag name="title" action="remove" /> <tag name="script" action="remove" /> <tag name="noscript" action="remove" /> <tag name="iframe" action="remove" /> <tag name="embed" action="remove" /> <tag name="object" action="remove" /> <tag name="frameset" action="remove" /> <tag name="frame" action="remove" /> <tag name="label" action="filter" /> <tag name="form" action="remove" /> <tag name="button" action="remove" /> <tag name="input" action="remove" /> <tag name="select" action="remove" /> <tag name="option" action="remove" /> <tag name="textarea" action="remove" /> <tag name="h1" action="filter"/> <tag name="h2" action="filter"/> <tag name="h3" action="filter"/> <tag name="h4" action="filter"/> <tag name="h5" action="filter"/> <tag name="h6" action="filter"/> <tag name="p" action="filter" /> <tag name="i" action="filter"/> <tag name="b" action="filter"/> <tag name="u" action="filter"/> <tag name="strong" action="filter"/> <tag name="em" action="filter"/> <tag name="small" action="filter"/> <tag name="big" action="filter"/> <tag name="pre" action="filter"/> <tag name="code" action="filter"/> <tag name="cite" action="filter"/> <tag name="samp" action="filter"/> <tag name="sub" action="filter"/> <tag name="sup" action="filter"/> <tag name="strike" action="filter"/> <tag name="center" action="filter"/> <tag name="blockquote" action="filter"/> <tag name="hr" action="remove"/> <tag name="br" action="validate"/> <tag name="col" action="filter"/> <tag name="font" action="filter" /> <tag name="a" action="filter" /> <!-- <tag name="a" action="validate"> <attribute name="href"/> </tag> --> <tag name="map" action="remove"/> <tag name="base" action="remove" /> <tag name="style" action="remove" /> <tag name="span" action="filter"/> <tag name="div" action="filter" /> <tag name="img" action="remove" /> <tag name="link" action="remove" /> <!-- List tags --> <tag name="ul" action="filter"/> <tag name="ol" action="filter"/> <tag name="li" action="filter"/> <!-- Dictionary tags --> <tag name="dd" action="filter"/> <tag name="dl" action="filter"/> <tag name="dt" action="filter"/> <!-- Table tags (tbody, thead, tfoot)--> <tag name="thead" action="remove" /> <tag name="tbody" action="remove" /> <tag name="tfoot" action="remove" /> <tag name="table" action="remove" /> <tag name="td" action="remove" /> <tag name="th" action="remove" /> <tag name="tr" action="remove" /> <tag name="colgroup" action="remove" /> <tag name="col" action="remove" /> <tag name="fieldset" action="remove"/> <tag name="legend" action="remove"/> </tag-rules>

 

 

Thank You!

Terms & ConditionsAccessibility statement

Loading footer...