May i know the exact solution to avoid data-attributes getting filtered. Each and every time we are adding manually in xss-protection-config.xml.
For Eg if we have data-src attribute in img tag ,
<img data-src="url"/>
In xss-protection we have added code like below
<tag action="validate" name="img">
<attribute name="src" onInvalid="removeTag">
<regexp-list>
<regexp name="onsiteURL"/>
<regexp name="offsiteURL"/>
</regexp-list>
</attribute>
Is there any permanent fix to avoid data-* attributes getting filtered?
Views
Replies
Total Likes
Hi Kishore,
OOTB I could see below config as mentioned in [1].
In case you do not require to validate this attribute you can remove it from attribute list or create regex expression that allows everything.
Hence you can adapt this configuration as per your need by overlaying it taking into account security concerns at your end. Please refer [2]. The default AntiSamy configuration can be found at /libs/cq/xssprotection/config.xml
Cheers.
[1]:
<tag name="img" action="validate">
<attribute name="src" onInvalid="removeTag">
<regexp-list>
<regexp name="onsiteURL"/>
<regexp name="offsiteURL"/>
</regexp-list>
</attribute>
</tag>
[2]: Security
Views
Replies
Total Likes
There was a discussion for same in 2017, https://forums.adobe.com/thread/2321987
Don't think nobody at sling has developed this feature to bring it into AEM. Its a very very essential feature in HTML5 for sure