whitelist aria label in xss protection

Avatar

Avatar

ravi_shankerj14

Avatar

ravi_shankerj14

ravi_shankerj14

20-11-2020

Hi there,

 

Our requirement is to use "aria-label" attribute in anchor tag in source edit of RTE component. We have also tried by overlaying the "xssprotection/config.xml" and adding this attribute to the tag but still unable to resolve the issue.

 

changes we have done in config.xml:

<tag name="a" action="validate">

<!-- onInvalid="filterTag" has been removed as per suggestion at OWASP SJ 2007 - just "name" is valid -->
<attribute name="href"/>
<attribute name="aria-label">
<regexp-list>
<regexp value="anything"/>
</regexp-list>
</attribute>
<attribute name="onFocus"/>
<attribute name="onBlur"/>
<attribute name="nohref">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="rel">
<literal-list>
<literal value="nofollow"/>
</literal-list>
</attribute>
<attribute name="name"/>
<attribute name="target" />
<attribute name="onclick">
<literal-list>
<literal value="CQ_Analytics.Sitecatalyst.customTrack(this)"/>
</literal-list>
</attribute>
<attribute name="adhocenable">
<literal-list>
<literal value="true"/>
<literal value="false"/>
</literal-list>
</attribute>
<attribute name="adhocevents">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="adhocevars">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>

<!-- attributes used by the Adobe Campaign integration in links to landing pages -->
<attribute name="data-nl-type">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-landingpage">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-landingpagelabel">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-landingpagedynamicservice">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-service">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-servicelabel">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
</tag>

 

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar

shelly-goel

Avatar

shelly-goel

shelly-goel

22-11-2020

@ravi_shankerj14  To be able to allow a new html attribute in richtext sourceedit, whitelisting it in the xssprotection config should make it work. It works for me when I tried it in WKND pages with new attribute added in /apps/cq/xssprotection/config.xml

Few things to try at your end:

1. Try adding just the aria-label attribute under a tag in libs xssprotection config and test if that works. If not, you can also try checking on sample WKND content (it might not be working due to richtext customization or project specific code/ content)

2. If that works then check if the overlay is correct in apps, it might be worth checking if you have other changes in this overlay that works but aria-label doesn't or none of the custom changes work. There might be issues with the overlaid file.

Answers (1)

Answers (1)

Avatar

Avatar

Arun_Patidar

MVP

Total Posts

2.9K

Likes

1.0K

Correct Answer

831

Avatar

Arun_Patidar

MVP

Total Posts

2.9K

Likes

1.0K

Correct Answer

831
Arun_Patidar
MVP

22-11-2020

Hi,

pleasefollow the below article to add new attribute in link plugin

http://experience-aem.blogspot.com/2017/09/aem-63-touch-ui-extend-rich-text-link-dialog-add-rel-sele...