Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

whitelist aria label in xss protection

Avatar

Level 2

Hi there,

 

Our requirement is to use "aria-label" attribute in anchor tag in source edit of RTE component. We have also tried by overlaying the "xssprotection/config.xml" and adding this attribute to the tag but still unable to resolve the issue.

 

changes we have done in config.xml:

<tag name="a" action="validate">

<!-- onInvalid="filterTag" has been removed as per suggestion at OWASP SJ 2007 - just "name" is valid -->
<attribute name="href"/>
<attribute name="aria-label">
<regexp-list>
<regexp value="anything"/>
</regexp-list>
</attribute>
<attribute name="onFocus"/>
<attribute name="onBlur"/>
<attribute name="nohref">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="rel">
<literal-list>
<literal value="nofollow"/>
</literal-list>
</attribute>
<attribute name="name"/>
<attribute name="target" />
<attribute name="onclick">
<literal-list>
<literal value="CQ_Analytics.Sitecatalyst.customTrack(this)"/>
</literal-list>
</attribute>
<attribute name="adhocenable">
<literal-list>
<literal value="true"/>
<literal value="false"/>
</literal-list>
</attribute>
<attribute name="adhocevents">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="adhocevars">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>

<!-- attributes used by the Adobe Campaign integration in links to landing pages -->
<attribute name="data-nl-type">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-landingpage">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-landingpagelabel">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-landingpagedynamicservice">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-service">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
<attribute name="data-nl-servicelabel">
<regexp-list>
<regexp name="anything"/>
</regexp-list>
</attribute>
</tag>

 

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

@ravi_shankerj14  To be able to allow a new html attribute in richtext sourceedit, whitelisting it in the xssprotection config should make it work. It works for me when I tried it in WKND pages with new attribute added in /apps/cq/xssprotection/config.xml

Few things to try at your end:

1. Try adding just the aria-label attribute under a tag in libs xssprotection config and test if that works. If not, you can also try checking on sample WKND content (it might not be working due to richtext customization or project specific code/ content)

2. If that works then check if the overlay is correct in apps, it might be worth checking if you have other changes in this overlay that works but aria-label doesn't or none of the custom changes work. There might be issues with the overlaid file.

View solution in original post

2 Replies

Avatar

Correct answer by
Employee Advisor

@ravi_shankerj14  To be able to allow a new html attribute in richtext sourceedit, whitelisting it in the xssprotection config should make it work. It works for me when I tried it in WKND pages with new attribute added in /apps/cq/xssprotection/config.xml

Few things to try at your end:

1. Try adding just the aria-label attribute under a tag in libs xssprotection config and test if that works. If not, you can also try checking on sample WKND content (it might not be working due to richtext customization or project specific code/ content)

2. If that works then check if the overlay is correct in apps, it might be worth checking if you have other changes in this overlay that works but aria-label doesn't or none of the custom changes work. There might be issues with the overlaid file.