Adobe Experience Manager Sites & More

akashdeepAEM · 3/9/22

Hi,
cc @Gaurav-Behl @kautuk_sahni @arunpatidar @Theo_Pendle

Issue: The html attribute added in source-edit mode in RTE is lost, when we save and re-open RTE for editing

Root cause: it’s removed due to XSS Antisamy Rules in AEM, not by RTE. The XSS Config exists at : /libs/cq/xssprotection/config.xml

error.logs

GET /content/foxtel/now/shop.html HTTP/1.1] org.apache.sling.xss.impl.HtmlToHtmlContentContext AntiSamy warning: The h2 tag contained an attribute that we could not process. The tabindex attribute has been filtered out, but the tag is still in place. The value of the attribute was "0".

Fix: Overlay and update xss config in apps,

1. /libs/cq/xssprotection/config.xml

We tried to overlay and uncomment the tabindex entry in the /apps/cq/xssprotection/config.xml
but that did not solve the problem in the touch ui component RTE

<attribute name="tabindex">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>

Tried this on vanila AEM 6.5 with a text v2 core component having sourceedit enabled in we-retail page. Still the tab-index attribute is not shown on the page but is present in jcr:content node.

Reference https://helpx.adobe.com/experience-manager/kb/target-attribute-issue-tag.html
https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/rte-plugin-modifying-html-...

Thanks @Gaurav-Behl have updated the question.

Gaurav-Behl · 3/9/22

Hi akashdeepAEM,

If you read the updated 6.5 documentation, it clearly says that AntiSamy is enabled by '/libs/cq/xssprotection/config.xml' and you can validate this by searching for 'Apache ling XSS Filter' under '/system/console/configMgr' and check how its wiring is enabled. In addition, it refers to org.apache.sling.xss.impl.XSSFilterImpl which can be found @ https://github.com/apache/sling-org-apache-sling-xss. Hope it explains why '/libs/sling/xss/config.xml' is not required anymore.

This means that you were on the right track but could not set custom attribute (or tag, as applicable) in '/libs/cq/xssprotection/config.xml' properly. I'd recommend testing that on HTML/HTL markup before you explore the RTE use case - save a custom attribute and render it using proper HTL syntax.You may use context='unsafe', if required, depending on your use case.

I think the issue is with RTE configuration and not with AntiSamy setup. Once you're able to identify the actual rootcause, you may write a custom RTE plugin tailored to your requirements.

View solution in original post

Gaurav-Behl · 3/9/22

Hi akashdeepAEM,

If you read the updated 6.5 documentation, it clearly says that AntiSamy is enabled by '/libs/cq/xssprotection/config.xml' and you can validate this by searching for 'Apache ling XSS Filter' under '/system/console/configMgr' and check how its wiring is enabled. In addition, it refers to org.apache.sling.xss.impl.XSSFilterImpl which can be found @ https://github.com/apache/sling-org-apache-sling-xss. Hope it explains why '/libs/sling/xss/config.xml' is not required anymore.

This means that you were on the right track but could not set custom attribute (or tag, as applicable) in '/libs/cq/xssprotection/config.xml' properly. I'd recommend testing that on HTML/HTL markup before you explore the RTE use case - save a custom attribute and render it using proper HTL syntax.You may use context='unsafe', if required, depending on your use case.

I think the issue is with RTE configuration and not with AntiSamy setup. Once you're able to identify the actual rootcause, you may write a custom RTE plugin tailored to your requirements.

T_a_n_m_a_y · 12/13/23

Hi! I am trying to add javacript:void(0) attribute from the hyperlink in aem RTE but the value is not retained by the hyperlink href tag when we open the dialog box again. Is there any way to achieve this?

arunpatidar · 3/15/22

Hi,

Apart from @Gaurav-Behl's suggestion. could you try below

the RTE editor strips the data attributes because the xssFiltering is enabled at dialog level. you can use the xssDisableFiltering in the rte text node of dialog to disable it.

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/touch-ui-rte-removing-data...

Arun Patidar

akashdeepAEM · 3/22/22

Thanks @Gaurav-Behl @arunpatidar
Considering the RTE html in source edit is something like below with tabindex in h2

<div class="container container-custom-1180">
<div class="row"><div class="col-md-12">
<div><h2 class="ui-basepack-title" tabindex="0">Some text here you've chosen.</h2></div>
</div>
</div>
</div>

then to allow the tabindex for h2 tag, we require to update /apps/cq/xssprotection/config.xml

<tag name="h2" action="validate">
      <attribute name="tabindex" description="...">
                <regexp-list>
                    <regexp name="anything"/>
                </regexp-list>
       </attribute>
 </tag>

Adobe Experience Manager Sites & More

AEM 6.5.5 tabindex attribute is removed by xss protection even after allowing the attribute in /apps/cq/xssprotection/config

Arun Patidar

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe