In the cq/xssprotection/config.xml I set the tag-rule for an anchor as "filter" or "remove" because we don't want to allow our content editors to insert links. From every input field we run the xssAPI.filterHTML() method. However, when set this way, the xssAPI.getValidHref() method that we use for authorized links always returns empty.
This allows getValidHref to work but allows links in unauthorized fields:
<tag name="a" action="validate">
<attribute name="href"/>
</tag>
This filters out unauthorized links, but doesn't allow getValidHref() to work:
<tag name="a" action="filter" /> or <tag name="a" action="remove" />
I'm looking to filter out anchor tags from almost all inputs, while at the same time, allow only valid paths for path selector inputs.
Any help would be greatly appreciated.
Solved! Go to Solution.
Views
Replies
Total Likes
As informed earlier. The output of authorInput & authorURL is right because
In case you are expecting url that begins with www valid (authorURL) & without www(authorInput) invalid then configure the regular expression in policy for valid urls.
Views
Replies
Total Likes
I made very few changes to the xssprotection/config.xml and only in the <tag-rules /> section, see below.
I'm looking for this to work:
String authorInput = "<p>Author input <a href=\"http://wherever.com\">link</a></p>"; String authorURL = "http://www.wherever.com"; // should equal "<p>Author input</p>" String filteredAuthorInput = xssAPI.filterHTML(authorInput); // should equal "http://www.wherever.com"; String filteredAuthorURL = xssAPI.getValidHref(authorURL);
However, this is the actual results:
// filteredAuthorInput still has link, filteredAuthorURL is correct <tag name="a" action="validate"><attribute name="href"/></tag> // filteredAuthorInput is corrrect, but filteredAuthorURL is always empty <tag name="a" action="filter" /> or <tag name="a" action="remove" />
<tag-rules> <!-- You can mess with this stuff if you know what you're doing --> <tag name="html" action="remove" /> <tag name="body" action="remove" /> <tag name="meta" action="remove" /> <tag name="head" action="remove" /> <tag name="title" action="remove" /> <tag name="script" action="remove" /> <tag name="noscript" action="remove" /> <tag name="iframe" action="remove" /> <tag name="embed" action="remove" /> <tag name="object" action="remove" /> <tag name="frameset" action="remove" /> <tag name="frame" action="remove" /> <tag name="label" action="filter" /> <tag name="form" action="remove" /> <tag name="button" action="remove" /> <tag name="input" action="remove" /> <tag name="select" action="remove" /> <tag name="option" action="remove" /> <tag name="textarea" action="remove" /> <tag name="h1" action="filter"/> <tag name="h2" action="filter"/> <tag name="h3" action="filter"/> <tag name="h4" action="filter"/> <tag name="h5" action="filter"/> <tag name="h6" action="filter"/> <tag name="p" action="filter" /> <tag name="i" action="filter"/> <tag name="b" action="filter"/> <tag name="u" action="filter"/> <tag name="strong" action="filter"/> <tag name="em" action="filter"/> <tag name="small" action="filter"/> <tag name="big" action="filter"/> <tag name="pre" action="filter"/> <tag name="code" action="filter"/> <tag name="cite" action="filter"/> <tag name="samp" action="filter"/> <tag name="sub" action="filter"/> <tag name="sup" action="filter"/> <tag name="strike" action="filter"/> <tag name="center" action="filter"/> <tag name="blockquote" action="filter"/> <tag name="hr" action="remove"/> <tag name="br" action="validate"/> <tag name="col" action="filter"/> <tag name="font" action="filter" /> <tag name="a" action="filter" /> <!-- <tag name="a" action="validate"> <attribute name="href"/> </tag> --> <tag name="map" action="remove"/> <tag name="base" action="remove" /> <tag name="style" action="remove" /> <tag name="span" action="filter"/> <tag name="div" action="filter" /> <tag name="img" action="remove" /> <tag name="link" action="remove" /> <!-- List tags --> <tag name="ul" action="filter"/> <tag name="ol" action="filter"/> <tag name="li" action="filter"/> <!-- Dictionary tags --> <tag name="dd" action="filter"/> <tag name="dl" action="filter"/> <tag name="dt" action="filter"/> <!-- Table tags (tbody, thead, tfoot)--> <tag name="thead" action="remove" /> <tag name="tbody" action="remove" /> <tag name="tfoot" action="remove" /> <tag name="table" action="remove" /> <tag name="td" action="remove" /> <tag name="th" action="remove" /> <tag name="tr" action="remove" /> <tag name="colgroup" action="remove" /> <tag name="col" action="remove" /> <tag name="fieldset" action="remove"/> <tag name="legend" action="remove"/> </tag-rules>
Thank You!
Views
Replies
Total Likes
Can you please post your code so we can see exactly what you are trying to do.
Views
Replies
Total Likes
As informed earlier. The output of authorInput & authorURL is right because
In case you are expecting url that begins with www valid (authorURL) & without www(authorInput) invalid then configure the regular expression in policy for valid urls.
Views
Replies
Total Likes
Hello Sham,
My question is if it's possible to configure CQ to 1) remove anchor tags with the filterHTML method, while 2) at the same time allow the getValidHref method to also work. Because right now I am unable to get both working together.
Here's an example of what I want to do:
<h1><%= xssAPI.filterHTML("only text is allowed here, no HTML, no anchor tags") %></h1> <a href="<%= myXssAPI.getValidHref("http://www.adobe.com") %>">this link is OK</a> <a href="<%= myXssAPI.getValidHref("javascript:alert()") %>">this link is BAD</a>
Thank You!
Views
Replies
Total Likes
AFAIK xssAPI does not work that way.
Views
Replies
Total Likes
Have you defined the policy for valid paths ? If so provide us exact config copy. Per OWASP AntiSamy config (cq/xssprotection/config.xml) behavior is that
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies
Views
Likes
Replies