Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

onclick is getting removed

Avatar

Level 4

Hello All - I have added the below onclick event via crx (not added via RTE) while the page is loading, unclick is not getting loaded. if it is removed from RTE, we can says due to XSS, it is getting removed but not sure why it is removed in this case. Can someone shed some light on this?

 

<a  onclick="test(event);" href="https://www.fitbit.com/us/legal/trademark-list">https://www.test.com</a>

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @aemninja 

This is removed by XSS protection rule which is evaluated during runtime. So even if you are setting the value in crx/de, while rendering the content the XSS evaluation takes place which is finding this as a custom attribute with value and is removing it from the markup. You must be getting an error similar to the below:

The onclick attribute had a value of "something". This value could not be accepted for security reasons. We have chosen to remove this attribute from the tag and leave everything else in place so that we could process the input.

 

If you want to allow this tag to be present in the markup, you will need to enable the tag with required value or need to use a regex pattern to allow multiple values under

/apps/cq/xssprotection/config.xml and it will start working.

 

https://experienceleague.adobe.com/docs/experience-manager-64/developing/introduction/security.html?...

 

Hope this helps!

Thanks!

View solution in original post

2 Replies

Avatar

Community Advisor

Can you check once whether this has been saved in the crx or not ?

Though it is saved, it should be handled in other recommended way like:

author that anchor tag(<a ) with ID and in client library get that html element by id and do what ever you want.

this will be a good way to accomplish the task.

 

Hope this will help.

Umesh Thakur

Avatar

Correct answer by
Community Advisor

Hi @aemninja 

This is removed by XSS protection rule which is evaluated during runtime. So even if you are setting the value in crx/de, while rendering the content the XSS evaluation takes place which is finding this as a custom attribute with value and is removing it from the markup. You must be getting an error similar to the below:

The onclick attribute had a value of "something". This value could not be accepted for security reasons. We have chosen to remove this attribute from the tag and leave everything else in place so that we could process the input.

 

If you want to allow this tag to be present in the markup, you will need to enable the tag with required value or need to use a regex pattern to allow multiple values under

/apps/cq/xssprotection/config.xml and it will start working.

 

https://experienceleague.adobe.com/docs/experience-manager-64/developing/introduction/security.html?...

 

Hope this helps!

Thanks!