Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

Style tag onload events in XSSAPI

Avatar

Avatar
Validate 1
Level 2
kishorek1264980
Level 2

Likes

5 likes

Total Posts

37 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Ignite 3
Ignite 1
Give Back
Boost 5
View profile

Avatar
Validate 1
Level 2
kishorek1264980
Level 2

Likes

5 likes

Total Posts

37 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Ignite 3
Ignite 1
Give Back
Boost 5
View profile
kishorek1264980
Level 2

05-02-2020

Both cq(com.adobe.granite.xss.xssapi) and sling(org.apache.sling.xss.XSSAPI) xss filterHTML() methods allows the events in style tag which causes security threat. May i know how to restrict it ?

Eg.

xssAPI.filterHTML("<style onload=\"alert()\">test</style>") - Instead of removing the onload events, it's allowing the alert.

AEM antisamy cq security sling slingxss xss xssapi