Expand my Community achievements bar.

SOLVED

XSS AntiSamy configuration for data attributes

Avatar

Level 4

If I had an overlay of of the AntiSamy config file at /apps/cq/xssprotection/config.xml, could I adjust it to allow random data attributes specified by authors? I see it uses regular expressions to validate attribute values, but can I use a regular expression to validate an attribute name? For example, say an author wanted a div to have a data attribute with a name that ended in random letters like:

<div data-author-xbqmuwzkcsa="somevalue"></div>

Is there a way to allow random attribute names like that in the AntiSamy config? 

1 Accepted Solution

Avatar

Correct answer by
Level 4

This topic was raised in an internal discussion at my company where there is a desire to use HTML5 "data-" attributes without having to wire each one into the AntiSamy config.xml. This use case was once publicly discussed in a non-AEM project at https://jira.sakaiproject.org/browse/KNL-1007 . I was just wondering if this is currently possible with AEM AntiSamy.

View solution in original post

3 Replies

Avatar

Level 10

Are you following an online doc topic for this. Can you point the community to your source of information for this use case. 

Avatar

Correct answer by
Level 4

This topic was raised in an internal discussion at my company where there is a desire to use HTML5 "data-" attributes without having to wire each one into the AntiSamy config.xml. This use case was once publicly discussed in a non-AEM project at https://jira.sakaiproject.org/browse/KNL-1007 . I was just wondering if this is currently possible with AEM AntiSamy.