Expand my Community achievements bar.

Mark Solution

This conversation has been locked due to inactivity. Please create a new post.

SOLVED

XSS numberOrPercent validation fails for percent

Avatar

Level 4
Level 4
10/10/22 6:58:57 AM

I'm trying to use the embed component and when I use html that has an iFram with the height set to a number and the width set to a percent, the width is invalidated and removed but the height passes. How do I change the regex so that widht="100%" does not get filtered out?

 

From the /libs/cq/xssprotection/config.xml configuration.

 

<regexp name="numberOrPercent" value="(\d)+(%{0,1})"/>

 

If I set height or width to a percent, the attribute is filtered out by the validation. If it is a number, it passes and is kept.

Views

772

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 4
Level 4
10/11/22 8:21:12 AM

I found my own answer. Because the percent width and height are actually allowed by modern browsers I changed the values in the /libs/cq/xssprotection/config.xml file from:

        <tag name="iframe" action="validate">
            <attribute name="src">
                <regexp-list>
                    <regexp name="iframesrc"/>
                </regexp-list>
            </attribute>
            <attribute name="height">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
            <attribute name="width">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
            <attribute name="frameborder">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
        </tag>

to:

        <tag name="iframe" action="validate">
            <attribute name="src">
                <regexp-list>
                    <regexp name="iframesrc"/>
                </regexp-list>
            </attribute>
            <attribute name="height">
                <regexp-list><regexp name="numberOrPercent"/></regexp-list>
            </attribute>
            <attribute name="width">
                <regexp-list><regexp name="numberOrPercent"/></regexp-list>
            </attribute>
            <attribute name="frameborder">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
            <attribute name="allow">
            	<regexp-list><regexp name="anything"/></regexp-list>
        	</attribute>
        </tag>

And now the height and width allow the percent and allow attribute to pass.
I'm not sure how a percent width would be an XSS violation. Maybe someone could enlighten me.

View solution in original post

Views

753

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Community Advisor
Community Advisor
10/11/22 12:30:07 AM

Iframe width can only be in pixels

https://www.w3schools.com/tags/att_iframe_width.asp 

 

For fullwidth iframe, you can check below sample code https://codepen.io/hacitsu/pen/yLNpyEV 

Arun Patidar

AEM LinksLinkedIn

Views

762

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
10/11/22 5:58:43 AM
In response to arunpatidar

Sorry but I think that it is wrong to say that the width can only be in pixels. I have used percentages VERY successfully. Same with height but the validator removes this setting.

Views

757

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 4
Level 4
10/11/22 8:21:12 AM

I found my own answer. Because the percent width and height are actually allowed by modern browsers I changed the values in the /libs/cq/xssprotection/config.xml file from:

        <tag name="iframe" action="validate">
            <attribute name="src">
                <regexp-list>
                    <regexp name="iframesrc"/>
                </regexp-list>
            </attribute>
            <attribute name="height">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
            <attribute name="width">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
            <attribute name="frameborder">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
        </tag>

to:

        <tag name="iframe" action="validate">
            <attribute name="src">
                <regexp-list>
                    <regexp name="iframesrc"/>
                </regexp-list>
            </attribute>
            <attribute name="height">
                <regexp-list><regexp name="numberOrPercent"/></regexp-list>
            </attribute>
            <attribute name="width">
                <regexp-list><regexp name="numberOrPercent"/></regexp-list>
            </attribute>
            <attribute name="frameborder">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
            <attribute name="allow">
            	<regexp-list><regexp name="anything"/></regexp-list>
        	</attribute>
        </tag>

And now the height and width allow the percent and allow attribute to pass.
I'm not sure how a percent width would be an XSS violation. Maybe someone could enlighten me.

Views

754

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
The "Must fill" requirement not pop up for content fragment property with required="on"

Views

65

Likes

0

Replies

1
Date Picker should be only for future date

Views

80

Likes

0

Replies

3
Upgrading to Java 21 for AEM : Baseline MAJOR Error due to META-INF/maven resource change after upgrading bnd from 5.1.2 to 6.4.0

Views

93

Likes

0

Replies

1
How to create blog for AEM EDS site with Universal Editor

Views

208

Likes

0

Replies

3
XDP For a PDF in AEM Forms

Views

237

Likes

0

Replies

8