XSS protection is filtering escaped html tags

frederik_witte

05-03-2019

Hey guys,

we have a scenario, in which we have a multifield, which contains richtext. Now this richtext gets saved in crx, and we need to apply it on a title attribute of a span. So the input looks something like this:

<span data-tooltip-ref="/path/to/rte/value"></span>

Which then gets passed through a model which should output this:

<span title="&lt;p&gt;Test&lt;&#47;p&gt;"></span>

Now the xss protection filters it out. We already overlayed cq/xssprotection/config.xml and included the attribute:

<tag name="span" action="validate">

  <attribute name="title">
       <regexp-list>
            <regexp value=".*"/>
       </regexp-list>
  </attribute>
</tag>

But that sadly doesn't work, it still gets filtered out by AEM. I even tried to put this config inside /libs/sling/xss and /libs/cq/xssprotection, without success.

Is AEM by default filtering out escaped HTML tags? How can I make this work?

Answers (0)