Expand my Community achievements bar.

Submissions are now open for the 2026 Adobe Experience Maker Awards.
Apply Now
SOLVED

DOMPurify sanitizing issue

Avatar

Level 4
Level 4
5/7/25 1:08:28 AM

For tracking purposes, we're setting the following value for the "trackingfeature" attribute in our JSP file: vm.put("trackingFeature", "aem:pagepreview") However, on page load, we’re seeing a warning that DOMPurify is sanitizing the "trackingfeature" attribute—most likely due to the colon (:) in the value. Is there any way to fix this issue—either by allowing colons in this specific attribute or by excluding "trackingfeature" from being sanitized?

Views

686

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 10
Level 10
5/7/25 1:31:26 AM

You can configure DOMPurify to allow the trackingfeature attribute while retaining its sanitization for other attributes.

// Configure DOMPurify to allow the "trackingfeature" attribute with colons
DOMPurify.sanitize(dirtyHTML, {
    ADD_ATTR: ['trackingfeature'], // Explicitly allow the "trackingfeature" attribute
    ALLOW_UNKNOWN_PROTOCOLS: true  // Allow unknown protocols like "aem:"
});

This configuration ensures that the trackingfeature attribute is not stripped out during sanitization, and it allows colons in the attribute value by enabling ALLOW_UNKNOWN_PROTOCOLS. However, be cautious when enabling ALLOW_UNKNOWN_PROTOCOLS, as it could introduce security risks if misused.

Alternatively, you can use a hook to bypass sanitization for this specific attribute:

DOMPurify.addHook('uponSanitizeAttribute', function(node, data) {
  if (data.attrName === 'trackingfeature') {
    data.forceKeepAttr = true;
  }
});

This approach should ensures that the trackingfeature attribute is preserved exactly as it is, without being modified or removed by DOMPurify.

View solution in original post

Views

678

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Correct answer by
Level 10
Level 10
5/7/25 1:31:26 AM

You can configure DOMPurify to allow the trackingfeature attribute while retaining its sanitization for other attributes.

// Configure DOMPurify to allow the "trackingfeature" attribute with colons
DOMPurify.sanitize(dirtyHTML, {
    ADD_ATTR: ['trackingfeature'], // Explicitly allow the "trackingfeature" attribute
    ALLOW_UNKNOWN_PROTOCOLS: true  // Allow unknown protocols like "aem:"
});

This configuration ensures that the trackingfeature attribute is not stripped out during sanitization, and it allows colons in the attribute value by enabling ALLOW_UNKNOWN_PROTOCOLS. However, be cautious when enabling ALLOW_UNKNOWN_PROTOCOLS, as it could introduce security risks if misused.

Alternatively, you can use a hook to bypass sanitization for this specific attribute:

DOMPurify.addHook('uponSanitizeAttribute', function(node, data) {
  if (data.attrName === 'trackingfeature') {
    data.forceKeepAttr = true;
  }
});

This approach should ensures that the trackingfeature attribute is preserved exactly as it is, without being modified or removed by DOMPurify.

Views

679

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Community Advisor
Community Advisor
5/7/25 6:17:09 AM

Hi @user96222 ,

When you want DOMPurify to preserve a custom attribute like trackingfeature with a colon in its value, you can use one of the following secure methods:

Option 1: Allow Attribute via Config

DOMPurify.sanitize(dirtyHTML, {
  ADD_ATTR: ['trackingfeature'],      // Allow this custom attribute
  ALLOW_UNKNOWN_PROTOCOLS: true       // Let values like "aem:pagepreview" pass
});

Note: Enabling ALLOW_UNKNOWN_PROTOCOLS can expose your app to risks if user-generated input is not validated. Use with care!

Option 2: Use a DOMPurify Hook (Recommended)

DOMPurify.addHook('uponSanitizeAttribute', function(node, data) {
  if (data.attrName === 'trackingfeature') {
    data.forceKeepAttr = true; // Keep it exactly as it is
  }
});

This approach is safer and more targeted. It keeps trackingfeature untouched without relaxing global security rules.

Regards,
Amit

 

Views

640

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
5/11/25 11:20:30 PM

@user96222 Did you find the suggestions helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!

Aanchal Sikka

Views

577

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Migration dispatcher issues 6.5 to cloud Solved

Views

400

Likes

0

Replies

3
Experience Fragment issue on cloud Solved

Views

376

Likes

0

Replies

3
Issue in Sling Model instantiating from Sightly Solved

Views

917

Likes

0

Replies

3
issues setting up aem RDE environment

Views

407

Like

1

Replies

3
Issues with AEM Target integration

Views

373

Likes

0

Replies

5