Highlighted

Style tag onload events in XSSAPI

kishorek1264980

05-02-2020

Both cq(com.adobe.granite.xss.xssapi) and sling(org.apache.sling.xss.XSSAPI) xss filterHTML() methods allows the events in style tag which causes security threat. May i know how to restrict it ?

Eg.

xssAPI.filterHTML("<style onload=\"alert()\">test</style>") - Instead of removing the onload events, it's allowing the alert.

AEM antisamy cq security sling slingxss xss xssapi