Expand my Community achievements bar.

SOLVED

Output HTML text entered as is instead of escaping it

Avatar

Level 5

We want the text component to be modified that "ANY" html should be interpreted as is. RTE doesn't allow say for example to insert <font style='10px'> etc. We want to create this as the authors are requesting complete control. As much as style and css are right options, the authors WANT that option available to ahve multiple formattings in same paragraph.

 

We've tried the following, 

<% String text2 = properties.get("text", "");
      out.print(text2);
%>
<cq:text property="text" escapeXml="true"/>

 

Both if text is <u>Sample text</u>

Do not interpret it and render it as is. However if we use <% out.println("<b>Sample</b>");%> it does work and makes the text bold. Is there a way to do this or the platform will ALWAYS deny it?

1 Accepted Solution

Avatar

Correct answer by
Employee

Hi,

The best thing to do is to modify the XSS Protection configuration to allow the font tag. See http://docs.adobe.com/docs/en/aem/6-0/administer/security/security-checklist.html#Protect%20against%....

Regards,

Justin

View solution in original post

4 Replies

Avatar

Correct answer by
Employee

Hi,

The best thing to do is to modify the XSS Protection configuration to allow the font tag. See http://docs.adobe.com/docs/en/aem/6-0/administer/security/security-checklist.html#Protect%20against%....

Regards,

Justin

Avatar

Level 5

Justin

How does the RTE work then? RTE allows you to bold and underline text. How does it bypass this rule setting?

Is it because all the allowed actions in RTE component are enabled in the configuration>

Avatar

Employee

Correct - the HTML output by the standard RTE plugins is generally allowed under the default XSS protection configuration.

Avatar

Level 8

Have you checked what is actually being persisted in the repository. The RTE will reformat HTML entered in the source edit option at times. Are you sure that the editor isn't changing your HTML before it's persisted?