Expand my Community achievements bar.

SOLVED

XSS AntiSamy configuration for data attributes

Avatar

Level 4

If I had an overlay of of the AntiSamy config file at /apps/cq/xssprotection/config.xml, could I adjust it to allow random data attributes specified by authors? I see it uses regular expressions to validate attribute values, but can I use a regular expression to validate an attribute name? For example, say an author wanted a div to have a data attribute with a name that ended in random letters like:

<div data-author-xbqmuwzkcsa="somevalue"></div>

Is there a way to allow random attribute names like that in the AntiSamy config? 

1 Accepted Solution

Avatar

Correct answer by
Level 4

This topic was raised in an internal discussion at my company where there is a desire to use HTML5 "data-" attributes without having to wire each one into the AntiSamy config.xml. This use case was once publicly discussed in a non-AEM project at https://jira.sakaiproject.org/browse/KNL-1007 . I was just wondering if this is currently possible with AEM AntiSamy.

View solution in original post

3 Replies

Avatar

Level 10

Are you following an online doc topic for this. Can you point the community to your source of information for this use case. 

Avatar

Level 2

https://helpx.adobe.com/experience-manager/kb/target-attribut-issue-tag.html

https://docs.adobe.com/docs/en/aem/6-2/develop/security.html

There's not a tremendous amount of documentation and the antisamy project hasn't been developed since 2013.  

Avatar

Correct answer by
Level 4

This topic was raised in an internal discussion at my company where there is a desire to use HTML5 "data-" attributes without having to wire each one into the AntiSamy config.xml. This use case was once publicly discussed in a non-AEM project at https://jira.sakaiproject.org/browse/KNL-1007 . I was just wondering if this is currently possible with AEM AntiSamy.