Hi guys ,
I am allowing SVG graphic attributes and elements ( https://developer.mozilla.org/en-US/docs/Web/SVG ) in /apps/cq/xssprotection/config.xml .
But I am not able to allow transform property for CSS .
I have tried adding the below code in embed component as HTML but still AEM is trimming that piece of code ( Please find code and screenshots below ) .
<svg viewbox="0 0 420 200" xmlns="http://www.w3.org/2000/svg">
<filter id="noise1" x="0" y="0" width="100%" height="100%">
<feturbulence basefrequency="0.025" />
</filter>
<filter id="noise2" x="0" y="0" width="100%" height="100%">
<feturbulence basefrequency="0.05" />
</filter>
<rect x="0" y="0" width="200" height="200" style="filter: url(#noise1);" ></rect>
<rect
x="0"
y="0"
width="200"
height="200"
style="filter: url(#noise2); transform: translateX(220px);" ></rect>
</svg>
HTML Code in browser --
tried code under <css-rules> tag -->
<property name="transform">
<literal-list>
<literal value="translateX"/>
</literal-list>
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</property>
Can anyone please help regarding this issue ?
Thank You
Solved! Go to Solution.
Views
Replies
Total Likes
Hi @gkalyan , I can't modify server's headers and <meta> tag solution is also not resolving the issue .
So , what I understand is /libs/cq/xssprotection/config.xml ( overlayed by /apps/cq/xssprotection/config.xml ) provides XSS protection mechanism which filters out all user-supplied content ( in my case , code is being added in embed component as HTML ) .
And by default there is no rule provided for "transform" property and that's why the same property is getting removed in browser .
Hi @newbie34 , Can you please try by updating /apps/cq/xssprotection/config.xml as follows.
Add the regex pattern for transform property under <common-regexps> as below
<regexp name="CSStransform" value="translateX\((-|\+)?0|(-|\+)?([0-9]+(\.[0-9]+)?)(em|ex|px|in|cm|mm|pt|pc))"/>
and update <css-rules> tag with
<property name="transform">
<regexp-list>
<regexp name="CSStransform"/>
</regexp-list>
</property>
HI @newbie34
You can try Implementing a CSP header in your web server configuration or meta tags in your HTML. You can specify a policy that allows inline styles, including the transform property.
You can configure your web server to return the Content-Security-Policy HTTP header with the rules
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline';
If you cannot modify your server’s headers, you can use a <meta> tag in your HTML document like below:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'self' 'unsafe-inline';">
Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Hi @gkalyan , I can't modify server's headers and <meta> tag solution is also not resolving the issue .
So , what I understand is /libs/cq/xssprotection/config.xml ( overlayed by /apps/cq/xssprotection/config.xml ) provides XSS protection mechanism which filters out all user-supplied content ( in my case , code is being added in embed component as HTML ) .
And by default there is no rule provided for "transform" property and that's why the same property is getting removed in browser .
Has anyone found a solution to this?