Expand my Community achievements bar.

SOLVED

XSS numberOrPercent validation fails for percent

Avatar

Level 4
Level 4
10/10/22 6:58:57 AM

I'm trying to use the embed component and when I use html that has an iFram with the height set to a number and the width set to a percent, the width is invalidated and removed but the height passes. How do I change the regex so that widht="100%" does not get filtered out?

 

From the /libs/cq/xssprotection/config.xml configuration.

 

<regexp name="numberOrPercent" value="(\d)+(%{0,1})"/>

 

If I set height or width to a percent, the attribute is filtered out by the validation. If it is a number, it passes and is kept.

Views

425

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 4
Level 4
10/11/22 8:21:12 AM

I found my own answer. Because the percent width and height are actually allowed by modern browsers I changed the values in the /libs/cq/xssprotection/config.xml file from:

        <tag name="iframe" action="validate">
            <attribute name="src">
                <regexp-list>
                    <regexp name="iframesrc"/>
                </regexp-list>
            </attribute>
            <attribute name="height">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
            <attribute name="width">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
            <attribute name="frameborder">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
        </tag>

to:

        <tag name="iframe" action="validate">
            <attribute name="src">
                <regexp-list>
                    <regexp name="iframesrc"/>
                </regexp-list>
            </attribute>
            <attribute name="height">
                <regexp-list><regexp name="numberOrPercent"/></regexp-list>
            </attribute>
            <attribute name="width">
                <regexp-list><regexp name="numberOrPercent"/></regexp-list>
            </attribute>
            <attribute name="frameborder">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
            <attribute name="allow">
            	<regexp-list><regexp name="anything"/></regexp-list>
        	</attribute>
        </tag>

And now the height and width allow the percent and allow attribute to pass.
I'm not sure how a percent width would be an XSS violation. Maybe someone could enlighten me.

View solution in original post

Views

406

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Community Advisor
Community Advisor
10/11/22 12:30:07 AM

Iframe width can only be in pixels

https://www.w3schools.com/tags/att_iframe_width.asp 

 

For fullwidth iframe, you can check below sample code https://codepen.io/hacitsu/pen/yLNpyEV 



Arun Patidar

Views

415

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
10/11/22 5:58:43 AM
In response to arunpatidar

Sorry but I think that it is wrong to say that the width can only be in pixels. I have used percentages VERY successfully. Same with height but the validator removes this setting.

Views

410

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 4
Level 4
10/11/22 8:21:12 AM

I found my own answer. Because the percent width and height are actually allowed by modern browsers I changed the values in the /libs/cq/xssprotection/config.xml file from:

        <tag name="iframe" action="validate">
            <attribute name="src">
                <regexp-list>
                    <regexp name="iframesrc"/>
                </regexp-list>
            </attribute>
            <attribute name="height">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
            <attribute name="width">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
            <attribute name="frameborder">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
        </tag>

to:

        <tag name="iframe" action="validate">
            <attribute name="src">
                <regexp-list>
                    <regexp name="iframesrc"/>
                </regexp-list>
            </attribute>
            <attribute name="height">
                <regexp-list><regexp name="numberOrPercent"/></regexp-list>
            </attribute>
            <attribute name="width">
                <regexp-list><regexp name="numberOrPercent"/></regexp-list>
            </attribute>
            <attribute name="frameborder">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
            <attribute name="allow">
            	<regexp-list><regexp name="anything"/></regexp-list>
        	</attribute>
        </tag>

And now the height and width allow the percent and allow attribute to pass.
I'm not sure how a percent width would be an XSS violation. Maybe someone could enlighten me.

Views

407

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
RDE - Deployment Failed Status Solved

Views

147

Likes

0

Replies

5
how to set up cache invalidation on webserver for multiple domain Solved

Views

170

Likes

0

Replies

5
Permissions for usersgroups for pages

Views

67

Likes

0

Replies

1
Getting 406 Not Acceptable error code for below API request

Views

127

Likes

0

Replies

3
Minifying not working for Cloud environments

Views

118

Likes

0

Replies

3