Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

to avoid data-* attributes filtering

kishorekumar14
Level 9
Level 9

May i know the exact solution to avoid data-attributes getting filtered. Each and every time we are adding manually in xss-protection-config.xml.

For Eg if we have data-src attribute in img tag ,

<img data-src="url"/>

In xss-protection we have added code like below

<tag action="validate" name="img">

<attribute name="src" onInvalid="removeTag">

<regexp-list>

<regexp name="onsiteURL"/>

<regexp name="offsiteURL"/>

</regexp-list>

</attribute>

Is there any permanent fix to avoid data-* attributes getting filtered?

2 Replies
mr_chawla
Level 2
Level 2

Hi Kishore,

OOTB I could see below config as mentioned in [1].

In case you do not require to validate this attribute you can remove it from attribute list or create regex expression that allows everything.

Hence you can adapt this configuration as per your need by overlaying it taking into account security concerns at your end. Please refer [2]. The default AntiSamy configuration can be found at /libs/cq/xssprotection/config.xml

Cheers.

[1]:

<tag name="img" action="validate">

            <attribute name="src" onInvalid="removeTag">

                <regexp-list>

                    <regexp name="onsiteURL"/>

                    <regexp name="offsiteURL"/>

                </regexp-list>

            </attribute>

</tag>

[2]: Security

Nirmal_Jose
Community Advisor
Community Advisor

There was a discussion for same in 2017,  https://forums.adobe.com/thread/2321987

Don't think nobody at sling has developed this feature to bring it into AEM. Its a very very essential feature in HTML5 for sure