Expand my Community achievements bar.

SOLVED

xssAPI.getValidHref returns empty if xssprotection/config.xml's anchor tag-rule is set to "filter" or "remove"

Avatar

Former Community Member
10/15/15 7:27:22 PM

In the cq/xssprotection/config.xml I set the tag-rule for an anchor as "filter" or "remove" because we don't want to allow our content editors to insert links. From every input field we run the xssAPI.filterHTML() method. However, when set this way, the xssAPI.getValidHref() method that we use for authorized links always returns empty.

This allows getValidHref to work but allows links in unauthorized fields:

<tag name="a" action="validate">
            <attribute name="href"/>            
</tag>

 

This filters out unauthorized links, but doesn't allow getValidHref() to work:

<tag name="a" action="filter" /> or <tag name="a" action="remove" />

 

I'm looking to filter out anchor tags from almost all inputs, while at the same time, allow only valid paths for path selector inputs.

Any help would be greatly appreciated.

Views

1.3K

Replies

6

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:27:22 PM

As informed earlier. The output of authorInput & authorURL is right because

  1. filter: remove tags, but keep content
  2. validate: keep content as long as it passes rules
  3. remove: remove tag and contents

In case you are expecting url that begins with www valid (authorURL) & without www(authorInput) invalid then configure the regular expression in policy for valid urls.

View solution in original post

Views

674

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
6 Replies

Avatar

Former Community Member
10/15/15 7:27:22 PM

I made very few changes to the xssprotection/config.xml and only in the <tag-rules /> section, see below.

I'm looking for this to work:

String authorInput = "<p>Author input <a href=\"http://wherever.com\">link</a></p>"; String authorURL = "http://www.wherever.com"; // should equal "<p>Author input</p>" String filteredAuthorInput = xssAPI.filterHTML(authorInput); // should equal "http://www.wherever.com"; String filteredAuthorURL = xssAPI.getValidHref(authorURL);

 

However, this is the actual results:

// filteredAuthorInput still has link, filteredAuthorURL is correct <tag name="a" action="validate"><attribute name="href"/></tag> // filteredAuthorInput is corrrect, but filteredAuthorURL is always empty <tag name="a" action="filter" /> or <tag name="a" action="remove" />

 

 

 

<tag-rules> <!-- You can mess with this stuff if you know what you're doing --> <tag name="html" action="remove" /> <tag name="body" action="remove" /> <tag name="meta" action="remove" /> <tag name="head" action="remove" /> <tag name="title" action="remove" /> <tag name="script" action="remove" /> <tag name="noscript" action="remove" /> <tag name="iframe" action="remove" /> <tag name="embed" action="remove" /> <tag name="object" action="remove" /> <tag name="frameset" action="remove" /> <tag name="frame" action="remove" /> <tag name="label" action="filter" /> <tag name="form" action="remove" /> <tag name="button" action="remove" /> <tag name="input" action="remove" /> <tag name="select" action="remove" /> <tag name="option" action="remove" /> <tag name="textarea" action="remove" /> <tag name="h1" action="filter"/> <tag name="h2" action="filter"/> <tag name="h3" action="filter"/> <tag name="h4" action="filter"/> <tag name="h5" action="filter"/> <tag name="h6" action="filter"/> <tag name="p" action="filter" /> <tag name="i" action="filter"/> <tag name="b" action="filter"/> <tag name="u" action="filter"/> <tag name="strong" action="filter"/> <tag name="em" action="filter"/> <tag name="small" action="filter"/> <tag name="big" action="filter"/> <tag name="pre" action="filter"/> <tag name="code" action="filter"/> <tag name="cite" action="filter"/> <tag name="samp" action="filter"/> <tag name="sub" action="filter"/> <tag name="sup" action="filter"/> <tag name="strike" action="filter"/> <tag name="center" action="filter"/> <tag name="blockquote" action="filter"/> <tag name="hr" action="remove"/> <tag name="br" action="validate"/> <tag name="col" action="filter"/> <tag name="font" action="filter" /> <tag name="a" action="filter" /> <!-- <tag name="a" action="validate"> <attribute name="href"/> </tag> --> <tag name="map" action="remove"/> <tag name="base" action="remove" /> <tag name="style" action="remove" /> <tag name="span" action="filter"/> <tag name="div" action="filter" /> <tag name="img" action="remove" /> <tag name="link" action="remove" /> <!-- List tags --> <tag name="ul" action="filter"/> <tag name="ol" action="filter"/> <tag name="li" action="filter"/> <!-- Dictionary tags --> <tag name="dd" action="filter"/> <tag name="dl" action="filter"/> <tag name="dt" action="filter"/> <!-- Table tags (tbody, thead, tfoot)--> <tag name="thead" action="remove" /> <tag name="tbody" action="remove" /> <tag name="tfoot" action="remove" /> <tag name="table" action="remove" /> <tag name="td" action="remove" /> <tag name="th" action="remove" /> <tag name="tr" action="remove" /> <tag name="colgroup" action="remove" /> <tag name="col" action="remove" /> <tag name="fieldset" action="remove"/> <tag name="legend" action="remove"/> </tag-rules>

 

 

Thank You!

Views

674

Replies

0

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
10/15/15 7:27:22 PM

Can you please post your code so we can see exactly what you are trying to do. 

Views

673

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:27:22 PM

As informed earlier. The output of authorInput & authorURL is right because

  1. filter: remove tags, but keep content
  2. validate: keep content as long as it passes rules
  3. remove: remove tag and contents

In case you are expecting url that begins with www valid (authorURL) & without www(authorInput) invalid then configure the regular expression in policy for valid urls.

Views

675

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Former Community Member
10/15/15 7:27:22 PM

Hello Sham,

My question is if it's possible to configure CQ to 1) remove anchor tags with the filterHTML method, while 2) at the same time allow the getValidHref method to also work. Because right now I am unable to get both working together.

Here's an example of what I want to do:

 

<h1><%= xssAPI.filterHTML("only text is allowed here, no HTML, no anchor tags") %></h1> <a href="<%= myXssAPI.getValidHref("http://www.adobe.com") %>">this link is OK</a> <a href="<%= myXssAPI.getValidHref("javascript:alert()") %>">this link is BAD</a>

 

Thank You!

Views

674

Replies

0

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
10/15/15 7:27:22 PM

AFAIK xssAPI does not work that way.

Views

674

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
10/15/15 7:27:22 PM

Have you defined the policy for valid paths ?    If so provide us exact config copy. Per OWASP AntiSamy config (cq/xssprotection/config.xml)  behavior is that

  • when the tag-rule action is set to “validate” for given tag. Verify that its attributes and children elements follow rules defined in policy file.
  • when the tag-rule action is set to “filter” for given tag. Delete tag, but keep its child text.

Views

675

Replies

0
Sign in to like this content

Total Likes

Translate
Translate