Expand my Community achievements bar.

Learn about Edge Delivery Services in upcoming GEM session
Register!

Allow HTML tags in rich text editor

Avatar

Level 4
Level 4
1/11/18 8:14:15 AM

We need to allow our users to have source html tags in rich text editor. currently even if the user adds <a href="www.google.com">Click here</a>, the xssprotection file strips off the href attribute.

We do not want to keep on adding each tag and it's attribute to the xssprotection file to allow users to add.

As much as there is a XSS risk, what's the best way to provide the flexibility without compromising security.

Views

4.8K

Replies

6
Sign in to like this content

Total Likes

Translate
Translate
6 Replies

Avatar

Level 10
Level 10
1/11/18 8:48:23 AM

What is the concern about letting links be allowed from RTE to a component output? Typically links established in RTE are rendered to the component without a concern. Esp if you are writing a text component where the link needs to be live in the web site.

Views

2.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
1/11/18 8:57:57 AM

Scott

We can surely add the href attribute to xss config file and it will work. Issue is if they want all HTML tags to be allowed, we will end up updating the xss file every single time.

Is there a way to bypass this so that the xss filter does not strip the output on publisher? Or adding needed attributes to xss is the only way to do it.

Views

2.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
1/11/18 1:32:17 PM

Believe adding the attributes is the way to go.

Views

2.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
1/11/18 10:16:00 PM

In addition - we have updated Article to show use of HTML tags in a RTE that is part of a MF - see here - Adobe Experience Manager Help | Creating an AEM 6.2 HTML Template Language component that uses a Mul... (this is for AEM 6.2 - we will do the same for AEM 6.3 soon)

Views

2.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Administrator
Administrator
1/12/18 12:09:36 AM

Worth reading:- XSS Filter issue with the target attribute of the a tag

// Copy /libs/cq/xssprotection/config.xml to /apps/cq/xssprotection/config.xml.

Open /apps/cq/xssprotection/config.xml.

In the common-attributes section, add the following target attribute declaration.

<attribute name="target>

<regexp-list>

   <regexp value="[a-zA-Z0-9-_\$]+" />

</regexp-list>

</attbribute>

ind the a tag declaration by searching the term <tag name="a".

Add the line below in the list of attributes:

<attribute name="target" />

Save the file. Now, the link will open in a new window if the option is selected.



Kautuk Sahni

Views

2.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
7/7/21 6:52:55 AM

Hi Techies, 

Everybody safe and good !

In Our RTE tocuhui we have custom link and it create proper <a href=''/> but while we save or check in Source Edit . Href attribute alone disappeared . We have checked the Href tag is available XSS configuration. anything we want to do.

 

<attribute name="href">
<regexp-list>
<regexp name="onsiteURL"/>
<regexp name="offsiteURL"/>
<regexp name="telURL"/>
</regexp-list>
</attribute>

Views

1.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate