XSS numberOrPercent validation fails for percent | Community
Skip to main content
Robert-Harper
Robert-Harper
Level 3
October 10, 2022
Solved

XSS numberOrPercent validation fails for percent

  • October 10, 2022
  • 2 replies
  • 772 views

I'm trying to use the embed component and when I use html that has an iFram with the height set to a number and the width set to a percent, the width is invalidated and removed but the height passes. How do I change the regex so that widht="100%" does not get filtered out?

 

From the /libs/cq/xssprotection/config.xml configuration.

 

<regexp name="numberOrPercent" value="(\d)+(%{0,1})"/>

 

If I set height or width to a percent, the attribute is filtered out by the validation. If it is a number, it passes and is kept.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Robert-Harper

I found my own answer. Because the percent width and height are actually allowed by modern browsers I changed the values in the /libs/cq/xssprotection/config.xml file from:

        <tag name="iframe" action="validate">
            <attribute name="src">
                <regexp-list>
                    <regexp name="iframesrc"/>
                </regexp-list>
            </attribute>
            <attribute name="height">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
            <attribute name="width">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
            <attribute name="frameborder">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
        </tag>

to:

        <tag name="iframe" action="validate">
            <attribute name="src">
                <regexp-list>
                    <regexp name="iframesrc"/>
                </regexp-list>
            </attribute>
            <attribute name="height">
                <regexp-list><regexp name="numberOrPercent"/></regexp-list>
            </attribute>
            <attribute name="width">
                <regexp-list><regexp name="numberOrPercent"/></regexp-list>
            </attribute>
            <attribute name="frameborder">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
            <attribute name="allow">
            	<regexp-list><regexp name="anything"/></regexp-list>
        	</attribute>
        </tag>

And now the height and width allow the percent and allow attribute to pass.
I'm not sure how a percent width would be an XSS violation. Maybe someone could enlighten me.

2 replies

arunpatidar
Community Advisor
arunpatidarCommunity Advisor
Community Advisor
October 11, 2022

Iframe width can only be in pixels

https://www.w3schools.com/tags/att_iframe_width.asp 

 

For fullwidth iframe, you can check below sample code https://codepen.io/hacitsu/pen/yLNpyEV 

Arun Patidar
    Robert-Harper
    Robert-HarperAuthor
    Level 3
    October 11, 2022

    Sorry but I think that it is wrong to say that the width can only be in pixels. I have used percentages VERY successfully. Same with height but the validator removes this setting.

      Robert-Harper
      Robert-HarperAuthorAccepted solution
      Level 3
      October 11, 2022

      I found my own answer. Because the percent width and height are actually allowed by modern browsers I changed the values in the /libs/cq/xssprotection/config.xml file from:

              <tag name="iframe" action="validate">
            <attribute name="src">
                <regexp-list>
                    <regexp name="iframesrc"/>
                </regexp-list>
            </attribute>
            <attribute name="height">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
            <attribute name="width">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
            <attribute name="frameborder">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
        </tag>

      to:

              <tag name="iframe" action="validate">
            <attribute name="src">
                <regexp-list>
                    <regexp name="iframesrc"/>
                </regexp-list>
            </attribute>
            <attribute name="height">
                <regexp-list><regexp name="numberOrPercent"/></regexp-list>
            </attribute>
            <attribute name="width">
                <regexp-list><regexp name="numberOrPercent"/></regexp-list>
            </attribute>
            <attribute name="frameborder">
                <regexp-list><regexp name="number"/></regexp-list>
            </attribute>
            <attribute name="allow">
            	<regexp-list><regexp name="anything"/></regexp-list>
        	</attribute>
        </tag>

      And now the height and width allow the percent and allow attribute to pass.
      I'm not sure how a percent width would be an XSS violation. Maybe someone could enlighten me.

        Terms & ConditionsAccessibility statement

        Loading footer...