onclick is getting removed

Avatar

Avatar

aemninja

Avatar

aemninja

aemninja

05-04-2021

Hello All - I have added the below onclick event via crx (not added via RTE) while the page is loading, unclick is not getting loaded. if it is removed from RTE, we can says due to XSS, it is getting removed but not sure why it is removed in this case. Can someone shed some light on this?

 

<a  onclick="test(event);" href="https://www.fitbit.com/us/legal/trademark-list">https://www.test.com</a>

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar

asutosh_j3

Avatar

asutosh_j3

asutosh_j3

05-04-2021

Hi @aemninja 

This is removed by XSS protection rule which is evaluated during runtime. So even if you are setting the value in crx/de, while rendering the content the XSS evaluation takes place which is finding this as a custom attribute with value and is removing it from the markup. You must be getting an error similar to the below:

The onclick attribute had a value of "something". This value could not be accepted for security reasons. We have chosen to remove this attribute from the tag and leave everything else in place so that we could process the input.

 

If you want to allow this tag to be present in the markup, you will need to enable the tag with required value or need to use a regex pattern to allow multiple values under

/apps/cq/xssprotection/config.xml and it will start working.

 

https://experienceleague.adobe.com/docs/experience-manager-64/developing/introduction/security.html?...

 

Hope this helps!

Thanks!

Answers (1)

Answers (1)

Avatar

Avatar

Umesh_Thakur

MVP

Avatar

Umesh_Thakur

MVP

Umesh_Thakur
MVP

05-04-2021

Can you check once whether this has been saved in the crx or not ?

Though it is saved, it should be handled in other recommended way like:

author that anchor tag(<a ) with ID and in client library get that html element by id and do what ever you want.

this will be a good way to accomplish the task.

 

Hope this will help.

Umesh Thakur