Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

to avoid data-* attributes filtering

Avatar

Avatar
Validate 1
Level 2
kishorek1264980
Level 2

Likes

5 likes

Total Posts

37 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Ignite 3
Ignite 1
Give Back
Boost 5
View profile

Avatar
Validate 1
Level 2
kishorek1264980
Level 2

Likes

5 likes

Total Posts

37 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Ignite 3
Ignite 1
Give Back
Boost 5
View profile
kishorek1264980
Level 2

27-07-2019

May i know the exact solution to avoid data-attributes getting filtered. Each and every time we are adding manually in xss-protection-config.xml.

For Eg if we have data-src attribute in img tag ,

<img data-src="url"/>

In xss-protection we have added code like below

<tag action="validate" name="img">

<attribute name="src" onInvalid="removeTag">

<regexp-list>

<regexp name="onsiteURL"/>

<regexp name="offsiteURL"/>

</regexp-list>

</attribute>

Is there any permanent fix to avoid data-* attributes getting filtered?

Replies

Avatar

Avatar
Boost 5
Level 2
mr_chawla
Level 2

Likes

5 likes

Total Posts

16 posts

Correct Reply

5 solutions
Top badges earned
Boost 5
Boost 3
Boost 1
Affirm 5
Affirm 3
View profile

Avatar
Boost 5
Level 2
mr_chawla
Level 2

Likes

5 likes

Total Posts

16 posts

Correct Reply

5 solutions
Top badges earned
Boost 5
Boost 3
Boost 1
Affirm 5
Affirm 3
View profile
mr_chawla
Level 2

28-07-2019

Hi Kishore,

OOTB I could see below config as mentioned in [1].

In case you do not require to validate this attribute you can remove it from attribute list or create regex expression that allows everything.

Hence you can adapt this configuration as per your need by overlaying it taking into account security concerns at your end. Please refer [2]. The default AntiSamy configuration can be found at /libs/cq/xssprotection/config.xml

Cheers.

[1]:

<tag name="img" action="validate">

            <attribute name="src" onInvalid="removeTag">

                <regexp-list>

                    <regexp name="onsiteURL"/>

                    <regexp name="offsiteURL"/>

                </regexp-list>

            </attribute>

</tag>

[2]: Security

Avatar

Avatar
Validate 1
MVP
Nirmal_Jose
MVP

Likes

118 likes

Total Posts

207 posts

Correct Reply

58 solutions
Top badges earned
Validate 1
Establish
Coach
Contributor
Shape 1
View profile

Avatar
Validate 1
MVP
Nirmal_Jose
MVP

Likes

118 likes

Total Posts

207 posts

Correct Reply

58 solutions
Top badges earned
Validate 1
Establish
Coach
Contributor
Shape 1
View profile
Nirmal_Jose
MVP

29-07-2019

There was a discussion for same in 2017,  https://forums.adobe.com/thread/2321987

Don't think nobody at sling has developed this feature to bring it into AEM. Its a very very essential feature in HTML5 for sure