AEM 6.5.5 tabindex attribute is removed by xss protection even after allowing the attribute in /apps/cq/xssprotection/config | Community
Skip to main content
A
akashdeepAEM
Level 3
March 9, 2022
Solved

AEM 6.5.5 tabindex attribute is removed by xss protection even after allowing the attribute in /apps/cq/xssprotection/config

  • March 9, 2022
  • 3 replies
  • 3275 views

Hi, 
cc @gaurav-behl @kautuk_sahni  @arunpatidar  @theo_pendle 

Issue: The html attribute added in source-edit mode in RTE is lost, when we save and re-open RTE for editing 

 

Root cause: it’s removed due to XSS Antisamy Rules in AEM, not by RTE. The XSS Config exists at : /libs/cq/xssprotection/config.xml

 

error.logs

 

GET /content/foxtel/now/shop.html HTTP/1.1] org.apache.sling.xss.impl.HtmlToHtmlContentContext AntiSamy warning: The h2 tag contained an attribute that we could not process. The tabindex attribute has been filtered out, but the tag is still in place. The value of the attribute was "0".


Fix:  Overlay and update xss config in apps, 

 

1.      /libs/cq/xssprotection/config.xml

 

We tried to overlay and uncomment the tabindex entry in the /apps/cq/xssprotection/config.xml
but that did not solve the problem in the touch ui component RTE

<attribute name="tabindex">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>

Tried this on vanila AEM 6.5 with a text v2 core component having sourceedit enabled in we-retail page. Still the tab-index attribute is not shown on the page but is present in jcr:content node.

Reference https://helpx.adobe.com/experience-manager/kb/target-attribute-issue-tag.html
https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/rte-plugin-modifying-html-removing-js-functions-like-onclick/m-p/317734#M35783 

Thanks @gaurav-behl  have updated the question.

 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Gaurav-Behl

Hi akashdeepAEM,

If you read the updated 6.5 documentation, it clearly says that AntiSamy is enabled by '/libs/cq/xssprotection/config.xml' and you can validate this by searching for 'Apache ling XSS Filter' under '/system/console/configMgr' and check how its wiring is enabled. In addition, it refers to org.apache.sling.xss.impl.XSSFilterImpl which can be found @ https://github.com/apache/sling-org-apache-sling-xss. Hope it explains why '/libs/sling/xss/config.xml' is not required anymore.

 

This means that you were on the right track but could not set custom attribute (or tag, as applicable) in '/libs/cq/xssprotection/config.xml' properly. I'd recommend testing that on HTML/HTL markup before you explore the RTE use case - save a custom attribute and render it using proper HTL syntax.You may use context='unsafe', if required, depending on your use case.

 

I think the issue is with RTE configuration and not with AntiSamy setup. Once you're able to identify the actual rootcause, you may write a custom RTE plugin tailored to your requirements.

 

3 replies

Gaurav-Behl
Gaurav-BehlAccepted solution
Level 10
March 10, 2022

Hi akashdeepAEM,

If you read the updated 6.5 documentation, it clearly says that AntiSamy is enabled by '/libs/cq/xssprotection/config.xml' and you can validate this by searching for 'Apache ling XSS Filter' under '/system/console/configMgr' and check how its wiring is enabled. In addition, it refers to org.apache.sling.xss.impl.XSSFilterImpl which can be found @ https://github.com/apache/sling-org-apache-sling-xss. Hope it explains why '/libs/sling/xss/config.xml' is not required anymore.

 

This means that you were on the right track but could not set custom attribute (or tag, as applicable) in '/libs/cq/xssprotection/config.xml' properly. I'd recommend testing that on HTML/HTL markup before you explore the RTE use case - save a custom attribute and render it using proper HTL syntax.You may use context='unsafe', if required, depending on your use case.

 

I think the issue is with RTE configuration and not with AntiSamy setup. Once you're able to identify the actual rootcause, you may write a custom RTE plugin tailored to your requirements.

 

    T
    T_a_n_m_a_y
    December 13, 2023

    Hi! I am trying to add javacript:void(0) attribute from the hyperlink in aem RTE but the value is not retained by the hyperlink href tag when we open the dialog box again. Is there any way to achieve this?

    arunpatidar
    Community Advisor
    arunpatidarCommunity Advisor
    Community Advisor
    March 15, 2022

    Hi,

    Apart from @gaurav-behl's suggestion. could you try below

     the RTE editor strips the data attributes because the xssFiltering is enabled at dialog level. you can use the xssDisableFiltering in the rte text node of dialog to disable it.

     

    https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/touch-ui-rte-removing-data-attributes/m-p/251260/highlight/true#M12074

     

    Arun Patidar
      A
      akashdeepAEMAuthor
      Level 3
      March 22, 2022

      Thanks @gaurav-behl @arunpatidar 
      Considering the RTE html in source edit is something like below with tabindex in h2 

      <div class="container container-custom-1180">
<div class="row"><div class="col-md-12">
<div><h2 class="ui-basepack-title" tabindex="0">Some text here you've chosen.</h2></div>
</div>
</div>
</div>

      then to allow the tabindex for h2 tag, we require to update /apps/cq/xssprotection/config.xml

      <tag name="h2" action="validate">
      <attribute name="tabindex" description="...">
                <regexp-list>
                    <regexp name="anything"/>
                </regexp-list>
       </attribute>
 </tag>

       



        Terms & ConditionsAccessibility statement

        Loading footer...