Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

Anchor tag inside RTE not accepting javascript function call

Avatar

Former Community Member

Hi,

I have requirement where I need to call a javascript function inside "href" of anchor tag in RTE. But, whenever I do this, the entire anchor tag vanishes on clicking OK. I suppose this is a CQ5 RTE out of the box feature.Can anyone suggest a way to overcome this ?

Thanks in advance :)

Subhra

1 Accepted Solution

Avatar

Correct answer by
Employee

Hi Subhra,

I suspect this actually isn't the RTE as much as it is XSS protection. You will need to reconfigure the XSS protection to allow this. By default, only a small number of javascript functions are allowed in the href attribute:

<literal-list> <literal value="javascript:history.go(0)"/> <literal value="javascript:history.go(-1)"/> <literal value="javascript:void(0)"/> <literal value="javascript:location.reload()"/> </literal-list>

 

See http://dev.day.com/docs/en/cq/current/deploying/security_checklist.html#Protect%20against%20Cross-Si... for more information around where to configure this.

Of course, doing what you are describing is opening up a security risk. You should think long and hard before doing it.

Good luck,

Justin

View solution in original post

2 Replies

Avatar

Correct answer by
Employee

Hi Subhra,

I suspect this actually isn't the RTE as much as it is XSS protection. You will need to reconfigure the XSS protection to allow this. By default, only a small number of javascript functions are allowed in the href attribute:

<literal-list> <literal value="javascript:history.go(0)"/> <literal value="javascript:history.go(-1)"/> <literal value="javascript:void(0)"/> <literal value="javascript:location.reload()"/> </literal-list>

 

See http://dev.day.com/docs/en/cq/current/deploying/security_checklist.html#Protect%20against%20Cross-Si... for more information around where to configure this.

Of course, doing what you are describing is opening up a security risk. You should think long and hard before doing it.

Good luck,

Justin

Avatar

Former Community Member

Hi Justin,

Thanks for your reply. I tried adding another literal value in the literal-list mentioning my function name but in vain. I also tried using the already existing javascript functions in the list, even those are getting stripped.

Can you suggest any other alternative ?

Thanks,

Subhra