Leiste mit Community-Erfolgen erweitern.

Submissions are now open for the 2026 Adobe Experience Maker Awards.
Apply Now

Mark Solution

Diese Konversation wurde aufgrund von Inaktivität geschlossen. Bitte erstellen Sie einen neuen Post.

GELÖST

Anchor tag inside RTE not accepting javascript function call

Avatar

Ehemaliges Community-Mitglied
15.10.15 7:27:16 PM

Hi,

I have requirement where I need to call a javascript function inside "href" of anchor tag in RTE. But, whenever I do this, the entire anchor tag vanishes on clicking OK. I suppose this is a CQ5 RTE out of the box feature.Can anyone suggest a way to overcome this ?

Thanks in advance 🙂

Subhra

Zugriffe

942

Antworten

2

Likes gesamt

Übersetzen
Übersetzen
1 Akzeptierte Lösung

Avatar

Korrekte Antwort von
Employee
Employee
15.10.15 7:27:16 PM

Hi Subhra,

I suspect this actually isn't the RTE as much as it is XSS protection. You will need to reconfigure the XSS protection to allow this. By default, only a small number of javascript functions are allowed in the href attribute:

<literal-list> <literal value="javascript:history.go(0)"/> <literal value="javascript:history.go(-1)"/> <literal value="javascript:void(0)"/> <literal value="javascript:location.reload()"/> </literal-list>

 

See http://dev.day.com/docs/en/cq/current/deploying/security_checklist.html#Protect%20against%20Cross-Si... for more information around where to configure this.

Of course, doing what you are describing is opening up a security risk. You should think long and hard before doing it.

Good luck,

Justin

Lösung in ursprünglichem Beitrag anzeigen

Zugriffe

785

Antworten

0
Melden Sie sich an, um diesen Inhalt zu liken

Likes gesamt

Übersetzen
Übersetzen
Zu Antwort springen
2 Antworten

Avatar

Korrekte Antwort von
Employee
Employee
15.10.15 7:27:16 PM

Hi Subhra,

I suspect this actually isn't the RTE as much as it is XSS protection. You will need to reconfigure the XSS protection to allow this. By default, only a small number of javascript functions are allowed in the href attribute:

<literal-list> <literal value="javascript:history.go(0)"/> <literal value="javascript:history.go(-1)"/> <literal value="javascript:void(0)"/> <literal value="javascript:location.reload()"/> </literal-list>

 

See http://dev.day.com/docs/en/cq/current/deploying/security_checklist.html#Protect%20against%20Cross-Si... for more information around where to configure this.

Of course, doing what you are describing is opening up a security risk. You should think long and hard before doing it.

Good luck,

Justin

Zugriffe

786

Antworten

0
Melden Sie sich an, um diesen Inhalt zu liken

Likes gesamt

Übersetzen
Übersetzen
Zu Antwort springen

Avatar

Ehemaliges Community-Mitglied
15.10.15 7:27:16 PM

Hi Justin,

Thanks for your reply. I tried adding another literal value in the literal-list mentioning my function name but in vain. I also tried using the already existing javascript functions in the list, even those are getting stripped.

Can you suggest any other alternative ?

Thanks,

Subhra

Zugriffe

789

Antworten

0

Likes gesamt

Übersetzen
Übersetzen
Verwandte Konversationen
AEM SPA OOTB model.json not fetching the locked components in the response Solved

Zugriffe

189

Likes

0

Antworten

2
How to Index AEM Page Metadata (Tags, Title, Description) in Coveo?

Zugriffe

21

Likes

0

Antworten

0
Call Custom JS logic from my specific Content Fragment Model

Zugriffe

37

Likes

0

Antworten

1
In new content fragment editor the auto save is not working

Zugriffe

127

Likes

0

Antworten

2
Image Map Editor Not Available for WebP Images in AEM Cloud DAM - Is This Expected Behavior?

Zugriffe

134

Likes

0

Antworten

2