Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

onclick is getting removed

Avatar

Avatar
Validate 1
Level 1
aemninja
Level 1

Likes

2 likes

Total Posts

56 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
View profile

Avatar
Validate 1
Level 1
aemninja
Level 1

Likes

2 likes

Total Posts

56 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
View profile
aemninja
Level 1

05-04-2021

Hello All - I have added the below onclick event via crx (not added via RTE) while the page is loading, unclick is not getting loaded. if it is removed from RTE, we can says due to XSS, it is getting removed but not sure why it is removed in this case. Can someone shed some light on this?

 

<a  onclick="test(event);" href="https://www.fitbit.com/us/legal/trademark-list">https://www.test.com</a>

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Applaud 25
Level 10
asutosh_jena
Level 10

Likes

593 likes

Total Posts

705 posts

Correct Reply

206 solutions
Top badges earned
Applaud 25
Give Back 100
Boost 500
Affirm 100
Ignite 1
View profile

Avatar
Applaud 25
Level 10
asutosh_jena
Level 10

Likes

593 likes

Total Posts

705 posts

Correct Reply

206 solutions
Top badges earned
Applaud 25
Give Back 100
Boost 500
Affirm 100
Ignite 1
View profile
asutosh_jena
Level 10

05-04-2021

Hi @aemninja 

This is removed by XSS protection rule which is evaluated during runtime. So even if you are setting the value in crx/de, while rendering the content the XSS evaluation takes place which is finding this as a custom attribute with value and is removing it from the markup. You must be getting an error similar to the below:

The onclick attribute had a value of "something". This value could not be accepted for security reasons. We have chosen to remove this attribute from the tag and leave everything else in place so that we could process the input.

 

If you want to allow this tag to be present in the markup, you will need to enable the tag with required value or need to use a regex pattern to allow multiple values under

/apps/cq/xssprotection/config.xml and it will start working.

 

https://experienceleague.adobe.com/docs/experience-manager-64/developing/introduction/security.html?...

 

Hope this helps!

Thanks!

Answers (1)

Answers (1)

Avatar

Avatar
Validate 1
MVP
Umesh_Thakur
MVP

Likes

147 likes

Total Posts

157 posts

Correct Reply

53 solutions
Top badges earned
Validate 1
Applaud 25
Ignite 3
Ignite 1
Give Back 5
View profile

Avatar
Validate 1
MVP
Umesh_Thakur
MVP

Likes

147 likes

Total Posts

157 posts

Correct Reply

53 solutions
Top badges earned
Validate 1
Applaud 25
Ignite 3
Ignite 1
Give Back 5
View profile
Umesh_Thakur
MVP

05-04-2021

Can you check once whether this has been saved in the crx or not ?

Though it is saved, it should be handled in other recommended way like:

author that anchor tag(<a ) with ID and in client library get that html element by id and do what ever you want.

this will be a good way to accomplish the task.

 

Hope this will help.

Umesh Thakur