whitelist aria label in xss protection

Avatar

Avatar
Validate 1
Level 1
ravi_shankerj14
Level 1

Likes

0 likes

Total Posts

13 posts

Correct reply

0 solutions
Top badges earned
Validate 1
View profile

Avatar
Validate 1
Level 1
ravi_shankerj14
Level 1

Likes

0 likes

Total Posts

13 posts

Correct reply

0 solutions
Top badges earned
Validate 1
View profile
ravi_shankerj14
Level 1

20-11-2020

Hi there,

 

Our requirement is to use "aria-label" attribute in anchor tag in source edit of RTE component. We have also tried by overlaying the "xssprotection/config.xml" and adding this attribute to the tag but still unable to resolve the issue.

 

changes we have done in config.xml:

<tag name="a" action="validate">

<!-- onInvalid="filterTag" has been removed as per suggestion at OWASP SJ 2007 - just "name" is valid -->
<attribute name="href"/>
<attribute name="aria-label">
<regexp-list>
<regexp value="anything"/>
</regexp-list>
</attribute>
<attribute name="onFocus"/>
<attribute name="onBlur"/>
<attribute name="nohref">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="rel">
<literal-list>
<literal value="nofollow"/>
</literal-list>
</attribute>
<attribute name="name"/>
<attribute name="target" />
<attribute name="onclick">
<literal-list>
<literal value="CQ_Analytics.Sitecatalyst.customTrack(this)"/>
</literal-list>
</attribute>
<attribute name="adhocenable">
<literal-list>
<literal value="true"/>
<literal value="false"/>
</literal-list>
</attribute>
<attribute name="adhocevents">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="adhocevars">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>

<!-- attributes used by the Adobe Campaign integration in links to landing pages -->
<attribute name="data-nl-type">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-landingpage">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-landingpagelabel">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-landingpagedynamicservice">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-service">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-servicelabel">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
</tag>

 

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Boost 250
MVP
shelly-goel
MVP

Likes

250 likes

Total Posts

410 posts

Correct reply

107 solutions
Top badges earned
Boost 250
Affirm 100
Give Back 25
Ignite 3
Give Back 10
View profile

Avatar
Boost 250
MVP
shelly-goel
MVP

Likes

250 likes

Total Posts

410 posts

Correct reply

107 solutions
Top badges earned
Boost 250
Affirm 100
Give Back 25
Ignite 3
Give Back 10
View profile
shelly-goel
MVP

22-11-2020

@ravi_shankerj14  To be able to allow a new html attribute in richtext sourceedit, whitelisting it in the xssprotection config should make it work. It works for me when I tried it in WKND pages with new attribute added in /apps/cq/xssprotection/config.xml

Few things to try at your end:

1. Try adding just the aria-label attribute under a tag in libs xssprotection config and test if that works. If not, you can also try checking on sample WKND content (it might not be working due to richtext customization or project specific code/ content)

2. If that works then check if the overlay is correct in apps, it might be worth checking if you have other changes in this overlay that works but aria-label doesn't or none of the custom changes work. There might be issues with the overlaid file.

Answers (1)

Answers (1)

Avatar

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,462 likes

Total Posts

3,328 posts

Correct reply

949 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,462 likes

Total Posts

3,328 posts

Correct reply

949 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile
Arun_Patidar
MVP

22-11-2020

Hi,

pleasefollow the below article to add new attribute in link plugin

http://experience-aem.blogspot.com/2017/09/aem-63-touch-ui-extend-rich-text-link-dialog-add-rel-sele...