Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

Anchor tag inside RTE not accepting javascript function call

Avatar

Former Community Member
10/15/15 7:27:16 PM

Hi,

I have requirement where I need to call a javascript function inside "href" of anchor tag in RTE. But, whenever I do this, the entire anchor tag vanishes on clicking OK. I suppose this is a CQ5 RTE out of the box feature.Can anyone suggest a way to overcome this ?

Thanks in advance :)

Subhra

Views

728

Replies

2

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee
Employee
10/15/15 7:27:16 PM

Hi Subhra,

I suspect this actually isn't the RTE as much as it is XSS protection. You will need to reconfigure the XSS protection to allow this. By default, only a small number of javascript functions are allowed in the href attribute:

<literal-list> <literal value="javascript:history.go(0)"/> <literal value="javascript:history.go(-1)"/> <literal value="javascript:void(0)"/> <literal value="javascript:location.reload()"/> </literal-list>

 

See http://dev.day.com/docs/en/cq/current/deploying/security_checklist.html#Protect%20against%20Cross-Si... for more information around where to configure this.

Of course, doing what you are describing is opening up a security risk. You should think long and hard before doing it.

Good luck,

Justin

View solution in original post

Views

571

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Correct answer by
Employee
Employee
10/15/15 7:27:16 PM

Hi Subhra,

I suspect this actually isn't the RTE as much as it is XSS protection. You will need to reconfigure the XSS protection to allow this. By default, only a small number of javascript functions are allowed in the href attribute:

<literal-list> <literal value="javascript:history.go(0)"/> <literal value="javascript:history.go(-1)"/> <literal value="javascript:void(0)"/> <literal value="javascript:location.reload()"/> </literal-list>

 

See http://dev.day.com/docs/en/cq/current/deploying/security_checklist.html#Protect%20against%20Cross-Si... for more information around where to configure this.

Of course, doing what you are describing is opening up a security risk. You should think long and hard before doing it.

Good luck,

Justin

Views

572

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Former Community Member
10/15/15 7:27:16 PM

Hi Justin,

Thanks for your reply. I tried adding another literal value in the literal-list mentioning my function name but in vain. I also tried using the already existing javascript functions in the list, even those are getting stripped.

Can you suggest any other alternative ?

Thanks,

Subhra

Views

575

Replies

0

Total Likes

Translate
Translate
Related Conversations
Richtext data type not working in Content Fragment Model Solved

Views

93

Likes

0

Replies

1
Optimizing Daily API Calls in AEM: A Better Solution? Solved

Views

140

Likes

0

Replies

5
Redirects do not work with x-aem-client-country header

Views

20

Likes

0

Replies

0
Community: Likes do not show up

Views

46

Likes

0

Replies

1
Live copy Robot tag OOTB field issue

Views

52

Likes

0

Replies

0