I'm trying to whitelist a custom attribute that is not supposed to have any value in XSS protection config so that when I enter something like <div new-attribute></div> in text editor, the new-attribute does not get stripped. But it seems like all the attributes defined in the configs need a regex filter rule and therefore the attribute in the text editor needs a value assigned in order to not to be stripped. Is there any way I can achieve this? to have <div new-attribute> and not get stripped?
Solved! Go to Solution.
Views
Replies
Total Likes
Hi @millionmeme ,
${properties.jcr:title @ context='elementName'} <!--/* Allows only element names that are white-listed, outputs 'div' otherwise */-->
You can overlay /libs/cq/xssprotection/config.xml to /apps and add your attributes in the config.
In the common-attributes section, add the following target attribute declaration.
<attribute name="target>
<regexp-list>
<regexp value="[a-zA-Z0-9-_\$]+" />
</regexp-list>
</attbribute>
You can look at XSS Filter issue with the target attribute of the a tag
You can add context=unsafe but it disables escaping and XSS protection completely which can cause security issues.
Please read more about context on the blog: HTL Expression Language
Hope this helps.
Regards,
Santosh
Hi @millionmeme ,
${properties.jcr:title @ context='elementName'} <!--/* Allows only element names that are white-listed, outputs 'div' otherwise */-->
You can overlay /libs/cq/xssprotection/config.xml to /apps and add your attributes in the config.
In the common-attributes section, add the following target attribute declaration.
<attribute name="target>
<regexp-list>
<regexp value="[a-zA-Z0-9-_\$]+" />
</regexp-list>
</attbribute>
You can look at XSS Filter issue with the target attribute of the a tag
You can add context=unsafe but it disables escaping and XSS protection completely which can cause security issues.
Please read more about context on the blog: HTL Expression Language
Hope this helps.
Regards,
Santosh