Expand my Community achievements bar.

SOLVED

AEM 6.5.5 tabindex attribute is removed by xss protection even after allowing the attribute in /apps/cq/xssprotection/config

Avatar

Level 4

Hi, 
cc @Gaurav-Behl @kautuk_sahni  @arunpatidar  @Theo_Pendle 

Issue: The html attribute added in source-edit mode in RTE is lost, when we save and re-open RTE for editing 

 

Root cause: it’s removed due to XSS Antisamy Rules in AEM, not by RTE. The XSS Config exists at : /libs/cq/xssprotection/config.xml

 

error.logs

 

GET /content/foxtel/now/shop.html HTTP/1.1] org.apache.sling.xss.impl.HtmlToHtmlContentContext AntiSamy warning: The h2 tag contained an attribute that we could not process. The tabindex attribute has been filtered out, but the tag is still in place. The value of the attribute was "0".


Fix:  Overlay and update xss config in apps, 

 

1.      /libs/cq/xssprotection/config.xml

 

We tried to overlay and uncomment the tabindex entry in the /apps/cq/xssprotection/config.xml
but that did not solve the problem in the touch ui component RTE

<attribute name="tabindex">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>

Tried this on vanila AEM 6.5 with a text v2 core component having sourceedit enabled in we-retail page. Still the tab-index attribute is not shown on the page but is present in jcr:content node.

Reference https://helpx.adobe.com/experience-manager/kb/target-attribute-issue-tag.html
https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/rte-plugin-modifying-html-... 

Thanks @Gaurav-Behl  have updated the question.

 

1 Accepted Solution

Avatar

Correct answer by
Level 10

Hi akashdeepAEM,

If you read the updated 6.5 documentation, it clearly says that AntiSamy is enabled by '/libs/cq/xssprotection/config.xml' and you can validate this by searching for 'Apache ling XSS Filter' under '/system/console/configMgr' and check how its wiring is enabled. In addition, it refers to org.apache.sling.xss.impl.XSSFilterImpl which can be found @ https://github.com/apache/sling-org-apache-sling-xss. Hope it explains why '/libs/sling/xss/config.xml' is not required anymore.

 

This means that you were on the right track but could not set custom attribute (or tag, as applicable) in '/libs/cq/xssprotection/config.xml' properly. I'd recommend testing that on HTML/HTL markup before you explore the RTE use case - save a custom attribute and render it using proper HTL syntax.You may use context='unsafe', if required, depending on your use case.

 

I think the issue is with RTE configuration and not with AntiSamy setup. Once you're able to identify the actual rootcause, you may write a custom RTE plugin tailored to your requirements.

 

View solution in original post

4 Replies

Avatar

Correct answer by
Level 10

Hi akashdeepAEM,

If you read the updated 6.5 documentation, it clearly says that AntiSamy is enabled by '/libs/cq/xssprotection/config.xml' and you can validate this by searching for 'Apache ling XSS Filter' under '/system/console/configMgr' and check how its wiring is enabled. In addition, it refers to org.apache.sling.xss.impl.XSSFilterImpl which can be found @ https://github.com/apache/sling-org-apache-sling-xss. Hope it explains why '/libs/sling/xss/config.xml' is not required anymore.

 

This means that you were on the right track but could not set custom attribute (or tag, as applicable) in '/libs/cq/xssprotection/config.xml' properly. I'd recommend testing that on HTML/HTL markup before you explore the RTE use case - save a custom attribute and render it using proper HTL syntax.You may use context='unsafe', if required, depending on your use case.

 

I think the issue is with RTE configuration and not with AntiSamy setup. Once you're able to identify the actual rootcause, you may write a custom RTE plugin tailored to your requirements.

 

Avatar

Level 1

Hi! I am trying to add javacript:void(0) attribute from the hyperlink in aem RTE but the value is not retained by the hyperlink href tag when we open the dialog box again. Is there any way to achieve this?

Avatar

Community Advisor

Hi,

Apart from @Gaurav-Behl's suggestion. could you try below

 the RTE editor strips the data attributes because the xssFiltering is enabled at dialog level. you can use the xssDisableFiltering in the rte text node of dialog to disable it.

 

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/touch-ui-rte-removing-data...

 



Arun Patidar

Avatar

Level 4

Thanks @Gaurav-Behl @arunpatidar 
Considering the RTE html in source edit is something like below with tabindex in h2 

<div class="container container-custom-1180">
<div class="row"><div class="col-md-12">
<div><h2 class="ui-basepack-title" tabindex="0">Some text here you've chosen.</h2></div>
</div>
</div>
</div>

then to allow the tabindex for h2 tag, we require to update /apps/cq/xssprotection/config.xml

<tag name="h2" action="validate">
      <attribute name="tabindex" description="...">
                <regexp-list>
                    <regexp name="anything"/>
                </regexp-list>
       </attribute>
 </tag>