Expand my Community achievements bar.

SOLVED

xssAPI.getValidHref returns empty if xssprotection/config.xml's anchor tag-rule is set to "filter" or "remove"

Avatar

Former Community Member

In the cq/xssprotection/config.xml I set the tag-rule for an anchor as "filter" or "remove" because we don't want to allow our content editors to insert links. From every input field we run the xssAPI.filterHTML() method. However, when set this way, the xssAPI.getValidHref() method that we use for authorized links always returns empty.

This allows getValidHref to work but allows links in unauthorized fields:

<tag name="a" action="validate">
            <attribute name="href"/>            
</tag>

 

This filters out unauthorized links, but doesn't allow getValidHref() to work:

<tag name="a" action="filter" /> or <tag name="a" action="remove" />

 

I'm looking to filter out anchor tags from almost all inputs, while at the same time, allow only valid paths for path selector inputs.

Any help would be greatly appreciated.

1 Accepted Solution

Avatar

Correct answer by
Level 10

As informed earlier. The output of authorInput & authorURL is right because

  1. filter: remove tags, but keep content
  2. validate: keep content as long as it passes rules
  3. remove: remove tag and contents

In case you are expecting url that begins with www valid (authorURL) & without www(authorInput) invalid then configure the regular expression in policy for valid urls.

View solution in original post

6 Replies

Avatar

Former Community Member

I made very few changes to the xssprotection/config.xml and only in the <tag-rules /> section, see below.

I'm looking for this to work:

String authorInput = "<p>Author input <a href=\"http://wherever.com\">link</a></p>"; String authorURL = "http://www.wherever.com"; // should equal "<p>Author input</p>" String filteredAuthorInput = xssAPI.filterHTML(authorInput); // should equal "http://www.wherever.com"; String filteredAuthorURL = xssAPI.getValidHref(authorURL);

 

However, this is the actual results:

// filteredAuthorInput still has link, filteredAuthorURL is correct <tag name="a" action="validate"><attribute name="href"/></tag> // filteredAuthorInput is corrrect, but filteredAuthorURL is always empty <tag name="a" action="filter" /> or <tag name="a" action="remove" />

 

 

 

<tag-rules> <!-- You can mess with this stuff if you know what you're doing --> <tag name="html" action="remove" /> <tag name="body" action="remove" /> <tag name="meta" action="remove" /> <tag name="head" action="remove" /> <tag name="title" action="remove" /> <tag name="script" action="remove" /> <tag name="noscript" action="remove" /> <tag name="iframe" action="remove" /> <tag name="embed" action="remove" /> <tag name="object" action="remove" /> <tag name="frameset" action="remove" /> <tag name="frame" action="remove" /> <tag name="label" action="filter" /> <tag name="form" action="remove" /> <tag name="button" action="remove" /> <tag name="input" action="remove" /> <tag name="select" action="remove" /> <tag name="option" action="remove" /> <tag name="textarea" action="remove" /> <tag name="h1" action="filter"/> <tag name="h2" action="filter"/> <tag name="h3" action="filter"/> <tag name="h4" action="filter"/> <tag name="h5" action="filter"/> <tag name="h6" action="filter"/> <tag name="p" action="filter" /> <tag name="i" action="filter"/> <tag name="b" action="filter"/> <tag name="u" action="filter"/> <tag name="strong" action="filter"/> <tag name="em" action="filter"/> <tag name="small" action="filter"/> <tag name="big" action="filter"/> <tag name="pre" action="filter"/> <tag name="code" action="filter"/> <tag name="cite" action="filter"/> <tag name="samp" action="filter"/> <tag name="sub" action="filter"/> <tag name="sup" action="filter"/> <tag name="strike" action="filter"/> <tag name="center" action="filter"/> <tag name="blockquote" action="filter"/> <tag name="hr" action="remove"/> <tag name="br" action="validate"/> <tag name="col" action="filter"/> <tag name="font" action="filter" /> <tag name="a" action="filter" /> <!-- <tag name="a" action="validate"> <attribute name="href"/> </tag> --> <tag name="map" action="remove"/> <tag name="base" action="remove" /> <tag name="style" action="remove" /> <tag name="span" action="filter"/> <tag name="div" action="filter" /> <tag name="img" action="remove" /> <tag name="link" action="remove" /> <!-- List tags --> <tag name="ul" action="filter"/> <tag name="ol" action="filter"/> <tag name="li" action="filter"/> <!-- Dictionary tags --> <tag name="dd" action="filter"/> <tag name="dl" action="filter"/> <tag name="dt" action="filter"/> <!-- Table tags (tbody, thead, tfoot)--> <tag name="thead" action="remove" /> <tag name="tbody" action="remove" /> <tag name="tfoot" action="remove" /> <tag name="table" action="remove" /> <tag name="td" action="remove" /> <tag name="th" action="remove" /> <tag name="tr" action="remove" /> <tag name="colgroup" action="remove" /> <tag name="col" action="remove" /> <tag name="fieldset" action="remove"/> <tag name="legend" action="remove"/> </tag-rules>

 

 

Thank You!

Avatar

Level 10

Can you please post your code so we can see exactly what you are trying to do. 

Avatar

Correct answer by
Level 10

As informed earlier. The output of authorInput & authorURL is right because

  1. filter: remove tags, but keep content
  2. validate: keep content as long as it passes rules
  3. remove: remove tag and contents

In case you are expecting url that begins with www valid (authorURL) & without www(authorInput) invalid then configure the regular expression in policy for valid urls.

Avatar

Former Community Member

Hello Sham,

My question is if it's possible to configure CQ to 1) remove anchor tags with the filterHTML method, while 2) at the same time allow the getValidHref method to also work. Because right now I am unable to get both working together.

Here's an example of what I want to do:

 

<h1><%= xssAPI.filterHTML("only text is allowed here, no HTML, no anchor tags") %></h1> <a href="<%= myXssAPI.getValidHref("http://www.adobe.com") %>">this link is OK</a> <a href="<%= myXssAPI.getValidHref("javascript:alert()") %>">this link is BAD</a>

 

Thank You!

Avatar

Level 10

AFAIK xssAPI does not work that way.

Avatar

Level 10

Have you defined the policy for valid paths ?    If so provide us exact config copy. Per OWASP AntiSamy config (cq/xssprotection/config.xml)  behavior is that

  • when the tag-rule action is set to “validate” for given tag. Verify that its attributes and children elements follow rules defined in policy file.
  • when the tag-rule action is set to “filter” for given tag. Delete tag, but keep its child text.