Expand my Community achievements bar.

Submissions are now open for the 2026 Adobe Experience Maker Awards.
Apply Now

Mark Solution

This conversation has been locked due to inactivity. Please create a new post.

SOLVED

Anchor tag inside RTE not accepting javascript function call

Avatar

Former Community Member
10/15/15 7:27:16 PM

Hi,

I have requirement where I need to call a javascript function inside "href" of anchor tag in RTE. But, whenever I do this, the entire anchor tag vanishes on clicking OK. I suppose this is a CQ5 RTE out of the box feature.Can anyone suggest a way to overcome this ?

Thanks in advance :)

Subhra

Views

909

Replies

2

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee
Employee
10/15/15 7:27:16 PM

Hi Subhra,

I suspect this actually isn't the RTE as much as it is XSS protection. You will need to reconfigure the XSS protection to allow this. By default, only a small number of javascript functions are allowed in the href attribute:

<literal-list> <literal value="javascript:history.go(0)"/> <literal value="javascript:history.go(-1)"/> <literal value="javascript:void(0)"/> <literal value="javascript:location.reload()"/> </literal-list>

 

See http://dev.day.com/docs/en/cq/current/deploying/security_checklist.html#Protect%20against%20Cross-Si... for more information around where to configure this.

Of course, doing what you are describing is opening up a security risk. You should think long and hard before doing it.

Good luck,

Justin

View solution in original post

Views

752

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Correct answer by
Employee
Employee
10/15/15 7:27:16 PM

Hi Subhra,

I suspect this actually isn't the RTE as much as it is XSS protection. You will need to reconfigure the XSS protection to allow this. By default, only a small number of javascript functions are allowed in the href attribute:

<literal-list> <literal value="javascript:history.go(0)"/> <literal value="javascript:history.go(-1)"/> <literal value="javascript:void(0)"/> <literal value="javascript:location.reload()"/> </literal-list>

 

See http://dev.day.com/docs/en/cq/current/deploying/security_checklist.html#Protect%20against%20Cross-Si... for more information around where to configure this.

Of course, doing what you are describing is opening up a security risk. You should think long and hard before doing it.

Good luck,

Justin

Views

753

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Former Community Member
10/15/15 7:27:16 PM

Hi Justin,

Thanks for your reply. I tried adding another literal value in the literal-list mentioning my function name but in vain. I also tried using the already existing javascript functions in the list, even those are getting stripped.

Can you suggest any other alternative ?

Thanks,

Subhra

Views

756

Replies

0

Total Likes

Translate
Translate
Related Conversations
How to Apply a Policy to a Video Component Inside a Core Carousel (Panel Container) in Editable Templates?

Views

129

Likes

0

Replies

1
anchor tag <href="values"> not working in custom indexing

Views

104

Likes

0

Replies

0
How to use multiple path patterns inside Sling Filter?

Views

66

Likes

0

Replies

1
Sling filter not working when using SlingServletFilter annotation

Views

60

Likes

0

Replies

2
AEM as cloud and Generic List (ACS Commons) DAM metadata Schema - Options not saving in the dropdown

Views

810

Likes

0

Replies

2