We need to allow our users to have source html tags in rich text editor. currently even if the user adds <a href="www.google.com">Click here</a>, the xssprotection file strips off the href attribute.
We do not want to keep on adding each tag and it's attribute to the xssprotection file to allow users to add.
As much as there is a XSS risk, what's the best way to provide the flexibility without compromising security.
What is the concern about letting links be allowed from RTE to a component output? Typically links established in RTE are rendered to the component without a concern. Esp if you are writing a text component where the link needs to be live in the web site.
We can surely add the href attribute to xss config file and it will work. Issue is if they want all HTML tags to be allowed, we will end up updating the xss file every single time.
Is there a way to bypass this so that the xss filter does not strip the output on publisher? Or adding needed attributes to xss is the only way to do it.
In addition - we have updated Article to show use of HTML tags in a RTE that is part of a MF - see here - Adobe Experience Manager Help | Creating an AEM 6.2 HTML Template Language component that uses a Mul... (this is for AEM 6.2 - we will do the same for AEM 6.3 soon)
Worth reading:- XSS Filter issue with the target attribute of the a tag
// Copy /libs/cq/xssprotection/config.xml to /apps/cq/xssprotection/config.xml.
In the common-attributes section, add the following target attribute declaration.
<regexp value="[a-zA-Z0-9-_\$]+" />
ind the a tag declaration by searching the term <tag name="a".
Add the line below in the list of attributes:
<attribute name="target" />
Save the file. Now, the link will open in a new window if the option is selected.
Everybody safe and good !
In Our RTE tocuhui we have custom link and it create proper <a href=''/> but while we save or check in Source Edit . Href attribute alone disappeared . We have checked the Href tag is available XSS configuration. anything we want to do.