Hello All - I have added the below onclick event via crx (not added via RTE) while the page is loading, unclick is not getting loaded. if it is removed from RTE, we can says due to XSS, it is getting removed but not sure why it is removed in this case. Can someone shed some light on this?
This is removed by XSS protection rule which is evaluated during runtime. So even if you are setting the value in crx/de, while rendering the content the XSS evaluation takes place which is finding this as a custom attribute with value and is removing it from the markup. You must be getting an error similar to the below:
The onclick attribute had a value of "something". This value could not be accepted for security reasons. We have chosen to remove this attribute from the tag and leave everything else in place so that we could process the input.
If you want to allow this tag to be present in the markup, you will need to enable the tag with required value or need to use a regex pattern to allow multiple values under
/apps/cq/xssprotection/config.xml and it will start working.