Is there a preferred method for subscribing to AEM version and service
pack releases notifications Particularly I'm hoping to be notified when
the dispatcher has new releases available.
When I try to connect to our AEM instances in the desktop app over
HTTPs, the app fails to mount the network share.Instead it just opens
the instance in the app window:If I connect to the instance over HTTP,
it works as expected. The network share is mounted and I can see and
edit files from the DAM within it.Is HTTPs not supported in the Desktop
App?As a best security practice, we want to encrypt traffic to and from
the DAM, so using HTTPs is preferred for this connection.
Since this issue began we have started the upgrade process to 6.5.1.
After many weeks of verifying, we have yet to come across the issue with
that version.So this is resolved with an upgrade to the latest AEM
release.
We are hoping to address CVE -CVE-2019-11358 in the jQuery library
provided with AEM.In versions prior to 6.4, we would overlay
/libs/clientlibs/granite/jquery and apply security patches based on
recommendations from the jQuery team.However, starting with 6.4, the
/libs/clientlibs/granite nt:folder node has the granite:InternalArea
mixin applied.With that, we are no longer able to overlay jQuery and
patch it ourselves per documentation here: Adobe Experience Manager Help
| Sustainable Upgrades "...
I'm coming across a strange issue with AEM Assets in 6.4.Whether I use
the Create --> Files option in the ui or drag and drop an image from the
local machine into Assets I am seeing the following error:However this
is for only 1 asset, if I click Ok, I'm then given:If I select Upload,
it presents another dialog with a progress bar that does nothing. If I
instead select Cancel it closes the dialog.Despite the above, the asset
is uploaded and processed in the DAM. I see after I refresh the current...
I figured out the issue,The problem was caused by this line in the XSS
policy: Per the OSASP
documentation, this will output the sanitized data in XHTML format as
opposed to just regular
HTML:https://www.owasp.org/index.php/AntiSamy_Directives Changing the
value to "false" allows the sanitized markup to be output as standard
HTML.Block level elements are not shortened and made invalid.
Hi. Thank you for responding.I'm already overlaying the xss policy
configuration, as we have some custom attributes that need to be allowed
in certain tags.Note, this does not expose an instance to XSS attacks as
the policy is still enforced.When I view the error.log file while
loading the page with this issue, I don't see any messages generated
related to AntiSamy, or package
org.apache.sling.xss.impl.HtmlToHtmlContentContext.So either the issue
is not caused by the XSS policy, or the Granite X...
We use the source edit options (misctools) in an overlaid Rich Text
Editor component.It works well for the most part, however empty div tags
are getting shortened, so:becomes:This is breaking inclusion of dynamic markup via our javascript.The
div tag is not a void element, so I'm wondering why this is
happening.I've looked into settings for the RTE, but have yet to find a
setting that would be related.I think it may be related more to the XSS
API. If I change the sightly display context to "unsa...
Hi Anubha and Guarav.According to our Adobe Technical Account Manager,
it turns out this issue was supposedly fixed in 6.3.3.0 but it is still
a present issue in 6.3.3.1. Perhaps the fix was removed or reverted in
SP3 Cumulative Fix Pack 1? He also mentions it is fixed in internal
builds of 6.5 but not yet released.At this point we are likely going to
request a backport fix for our current AEM version, via a Daycare
ticket.However, we are also in the process of testing an upgrade to
6.4.3. I'm w...
After a recent upgrade to Cumulative Fix Pack 2 on an AEM 6.3, SP3
author, pathfield dialog selections are disappearing when the component
dialog is re-opened.This was working prior to the fix pack update, so we
assume it is related to this item from the release notes: Adobe
Experience Manager Help | Release Notes: AEM 6.3 Cumulative Fix Pack
PathField is not selected in the pathBrowser when re-opening the
component. NPR-24177We are using the pathfield from under
granite/ui/components/coral/foun...
The rewrite conditions in the above snippet are denying POSTs to any URI
except a specific bin servlet (one which we want to allow content to be
posted to) via use of the forbidden flag. The request processing ends at
the Apache layer for these POSTs and doesn't make it back to AEM.Since
Apache HTTP server and its modules don't have any way of recognizing a
Sling resource type, I was concerned that those rules will block
legitimate POSTs back to a servlet which is only bound by resource type
or ...
Hi Jörg.When I hit the publisher directly now with a POST, I am getting
a 403 forbidden for any page as expected.The only change made was to
disable contexthub read access for the "everyone" group. I have yet to
determine how that could possible affect this.In any case, after
verifying the publisher, I re-attempted the POST request at the
Dispatcher layer. I was still able to receive a 200 at that layer. So I
added the following update in our main apache configuration file, to
block the POSTs be...
