Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

How to whitelist attributes with empty value in XSS config

millionmeme
Level 1
Level 1
 
 
 
 
 

I'm trying to whitelist a custom attribute that is not supposed to have any value in XSS protection config so that when I enter something like <div new-attribute></div> in text editor, the new-attribute does not get stripped. But it seems like all the attributes defined in the configs need a regex filter rule and therefore the attribute in the text editor needs a value assigned in order to not to be stripped. Is there any way I can achieve  this? to have <div new-attribute> and not get stripped?

1 Accepted Solution
santhosh_kumark
Correct answer by
Community Advisor
Community Advisor

Hi @millionmeme ,

 

${properties.jcr:title @ context='elementName'}  <!--/* Allows only element names that are white-listed, outputs 'div' otherwise */-->

 

You can overlay /libs/cq/xssprotection/config.xml to /apps and add your attributes in the config.

In the common-attributes section, add the following target attribute declaration.

<attribute name="target>

<regexp-list>

   <regexp value="[a-zA-Z0-9-_\$]+" />

</regexp-list>

</attbribute>

You can look at XSS Filter issue with the target attribute of the a tag

 

You can add context=unsafe but it disables escaping and XSS protection completely which can cause security issues.

Please read more about context on the blog: HTL Expression Language

 

Hope this helps.

 

Regards,

Santosh

View solution in original post

0 Replies
santhosh_kumark
Correct answer by
Community Advisor
Community Advisor

Hi @millionmeme ,

 

${properties.jcr:title @ context='elementName'}  <!--/* Allows only element names that are white-listed, outputs 'div' otherwise */-->

 

You can overlay /libs/cq/xssprotection/config.xml to /apps and add your attributes in the config.

In the common-attributes section, add the following target attribute declaration.

<attribute name="target>

<regexp-list>

   <regexp value="[a-zA-Z0-9-_\$]+" />

</regexp-list>

</attbribute>

You can look at XSS Filter issue with the target attribute of the a tag

 

You can add context=unsafe but it disables escaping and XSS protection completely which can cause security issues.

Please read more about context on the blog: HTL Expression Language

 

Hope this helps.

 

Regards,

Santosh

View solution in original post