Expand my Community achievements bar.

to avoid data-* attributes filtering

Avatar

Community Advisor
Community Advisor
7/27/19 10:52:28 AM

May i know the exact solution to avoid data-attributes getting filtered. Each and every time we are adding manually in xss-protection-config.xml.

For Eg if we have data-src attribute in img tag ,

<img data-src="url"/>

In xss-protection we have added code like below

<tag action="validate" name="img">

<attribute name="src" onInvalid="removeTag">

<regexp-list>

<regexp name="onsiteURL"/>

<regexp name="offsiteURL"/>

</regexp-list>

</attribute>

Is there any permanent fix to avoid data-* attributes getting filtered?

Views

4.4K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
2 Replies

Avatar

Level 2
Level 2
7/28/19 12:57:24 PM

Hi Kishore,

OOTB I could see below config as mentioned in [1].

In case you do not require to validate this attribute you can remove it from attribute list or create regex expression that allows everything.

Hence you can adapt this configuration as per your need by overlaying it taking into account security concerns at your end. Please refer [2]. The default AntiSamy configuration can be found at /libs/cq/xssprotection/config.xml

Cheers.

[1]:

<tag name="img" action="validate">

            <attribute name="src" onInvalid="removeTag">

                <regexp-list>

                    <regexp name="onsiteURL"/>

                    <regexp name="offsiteURL"/>

                </regexp-list>

            </attribute>

</tag>

[2]: Security

Views

4.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee Advisor
Employee Advisor
7/29/19 7:30:38 AM

There was a discussion for same in 2017,  https://forums.adobe.com/thread/2321987

Don't think nobody at sling has developed this feature to bring it into AEM. Its a very very essential feature in HTML5 for sure

Views

4.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate