Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

Allow HTML tags in rich text editor

aembytes
Level 4
Level 4

We need to allow our users to have source html tags in rich text editor. currently even if the user adds <a href="www.google.com">Click here</a>, the xssprotection file strips off the href attribute.

We do not want to keep on adding each tag and it's attribute to the xssprotection file to allow users to add.

As much as there is a XSS risk, what's the best way to provide the flexibility without compromising security.

6 Replies
smacdonald2008
Level 10
Level 10

What is the concern about letting links be allowed from RTE to a component output? Typically links established in RTE are rendered to the component without a concern. Esp if you are writing a text component where the link needs to be live in the web site.

aembytes
Level 4
Level 4

Scott

We can surely add the href attribute to xss config file and it will work. Issue is if they want all HTML tags to be allowed, we will end up updating the xss file every single time.

Is there a way to bypass this so that the xss filter does not strip the output on publisher? Or adding needed attributes to xss is the only way to do it.

smacdonald2008
Level 10
Level 10

Believe adding the attributes is the way to go.

smacdonald2008
Level 10
Level 10

In addition - we have updated Article to show use of HTML tags in a RTE that is part of a MF - see here - Adobe Experience Manager Help | Creating an AEM 6.2 HTML Template Language component that uses a Mul... (this is for AEM 6.2 - we will do the same for AEM 6.3 soon)

kautuk_sahni
Community Manager
Community Manager

Worth reading:- XSS Filter issue with the target attribute of the a tag

// Copy /libs/cq/xssprotection/config.xml to /apps/cq/xssprotection/config.xml.

Open /apps/cq/xssprotection/config.xml.

In the common-attributes section, add the following target attribute declaration.

<attribute name="target>

<regexp-list>

   <regexp value="[a-zA-Z0-9-_\$]+" />

</regexp-list>

</attbribute>

ind the a tag declaration by searching the term <tag name="a".

Add the line below in the list of attributes:

<attribute name="target" />

Save the file. Now, the link will open in a new window if the option is selected.

senthil86
Level 2
Level 2

Hi Techies, 

Everybody safe and good !

In Our RTE tocuhui we have custom link and it create proper <a href=''/> but while we save or check in Source Edit . Href attribute alone disappeared . We have checked the Href tag is available XSS configuration. anything we want to do.

 

<attribute name="href">
<regexp-list>
<regexp name="onsiteURL"/>
<regexp name="offsiteURL"/>
<regexp name="telURL"/>
</regexp-list>
</attribute>