Expand my Community achievements bar.

Adobe Summit is live! Tune in to take part in the premier digital experience event.
Join now
SOLVED

XSS AntiSamy configuration for data attributes

Avatar

Level 4
Level 4
5/23/17 4:39:36 PM

If I had an overlay of of the AntiSamy config file at /apps/cq/xssprotection/config.xml, could I adjust it to allow random data attributes specified by authors? I see it uses regular expressions to validate attribute values, but can I use a regular expression to validate an attribute name? For example, say an author wanted a div to have a data attribute with a name that ended in random letters like:

<div data-author-xbqmuwzkcsa="somevalue"></div>

Is there a way to allow random attribute names like that in the AntiSamy config? 

Views

3.3K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 4
Level 4
5/24/17 12:30:14 PM

This topic was raised in an internal discussion at my company where there is a desire to use HTML5 "data-" attributes without having to wire each one into the AntiSamy config.xml. This use case was once publicly discussed in a non-AEM project at https://jira.sakaiproject.org/browse/KNL-1007 . I was just wondering if this is currently possible with AEM AntiSamy.

View solution in original post

Views

2.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Level 10
Level 10
5/24/17 9:35:52 AM

Are you following an online doc topic for this. Can you point the community to your source of information for this use case. 

Views

2.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
5/24/17 12:15:06 PM

https://helpx.adobe.com/experience-manager/kb/target-attribut-issue-tag.html

https://docs.adobe.com/docs/en/aem/6-2/develop/security.html

There's not a tremendous amount of documentation and the antisamy project hasn't been developed since 2013.  

Views

2.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 4
Level 4
5/24/17 12:30:14 PM

This topic was raised in an internal discussion at my company where there is a desire to use HTML5 "data-" attributes without having to wire each one into the AntiSamy config.xml. This use case was once publicly discussed in a non-AEM project at https://jira.sakaiproject.org/browse/KNL-1007 . I was just wondering if this is currently possible with AEM AntiSamy.

Views

2.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
data-sly-resource not editable without wcmmode='disabled' Solved

Views

124

Likes

0

Replies

2
Dynamic Sitemap usinf factory Configuration Solved

Views

377

Likes

0

Replies

6
Set up Azure AD OpenID Connect(OIDC) for Adobe Experience Manager (AEM)

Views

63

Likes

0

Replies

2
Changes in custom index for AEMaaCS not working

Views

81

Likes

0

Replies

2
Layering for rich text field RTE plugins into the component dialog is not working

Views

120

Likes

0

Replies

3