Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.

CQURLInfo : turning Off in CQ 5.5

Avatar

Level 2

   Hi,

 

We are developing a new set of templates off the foundation page components. On the view source we see the CQURLInfo object print a set of URL related info as is obtained from the input URL.

This opens it for XSS attacks.  We would like to turn it off. I believe there is a config option in 5.6 ,  however we are still on CQ 5.5 and there is no config option available in the Felix.

 

Quick response is much appreciated.

 

 

thanks

pvr.

7 Replies

Avatar

Level 2

The daycare support folks came back saying that it is not possible to turn off the CQURLInfo in 5.5.

Now, how are the developers supposed to use the <cq:includeClientLib ..>  tag, if there is no protection from XSS attacks ?

I was expecting like a hotfix to turn this feature off.  

 

If anyone has a better idea I would appreciate it.

 

-pvr

Avatar

Level 10

From AEM perspective as its already mentioned that it's available only from 5.6. But in order to make sure if some one tries to access CQURLInfo via JavaScript, he should not get data present in it.

You can use some JS, like (use this at the end of template).

window.CQURLInfo  = {}; console.log(window.CQURLInfo ); // return empty object

It might cause issue if any part of AEM is using data present in CQURLInfo 

Avatar

Level 2

@edubey :

Thanks for the response !

Would appreciate it , if you could please list the said parts of CQ that use the data of CQURLInfo.  
So that based on functionality we are using / not,  we could decide whether to empty it or not.

Avatar

Level 10

I am not sure what part of AEM used CQURLInfo, maybe some community member can help or day care support can help on its usage.

Meanwhile, use the JS I provided and execute pages

To note: The code JS code I shared should work fine in any case reason being once pages and libraries are loaded then we are making it empty.

Avatar

Level 2

regarding the note: the observed behaviour is that for every <cq:includeClientLib>  the code checks if CQURLInfo is output, if not that include will output it. 

So, if enter the JS above in end of page the CQURLInfo might already have been printout out.