Highlighted

to avoid data-* attributes filtering

kishorek1264980

27-07-2019

May i know the exact solution to avoid data-attributes getting filtered. Each and every time we are adding manually in xss-protection-config.xml.

For Eg if we have data-src attribute in img tag ,

<img data-src="url"/>

In xss-protection we have added code like below

<tag action="validate" name="img">

<attribute name="src" onInvalid="removeTag">

<regexp-list>

<regexp name="onsiteURL"/>

<regexp name="offsiteURL"/>

</regexp-list>

</attribute>

Is there any permanent fix to avoid data-* attributes getting filtered?

Replies

Highlighted

mr_chawla

28-07-2019

Hi Kishore,

OOTB I could see below config as mentioned in [1].

In case you do not require to validate this attribute you can remove it from attribute list or create regex expression that allows everything.

Hence you can adapt this configuration as per your need by overlaying it taking into account security concerns at your end. Please refer [2]. The default AntiSamy configuration can be found at /libs/cq/xssprotection/config.xml

Cheers.

[1]:

<tag name="img" action="validate">

            <attribute name="src" onInvalid="removeTag">

                <regexp-list>

                    <regexp name="onsiteURL"/>

                    <regexp name="offsiteURL"/>

                </regexp-list>

            </attribute>

</tag>

[2]: Security

Highlighted

Nirmal_Jose

MVP

29-07-2019

There was a discussion for same in 2017,  https://forums.adobe.com/thread/2321987

Don't think nobody at sling has developed this feature to bring it into AEM. Its a very very essential feature in HTML5 for sure