Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Rendering telephone links in HTL based on input from a Rich Text widget

Tags:

xss

tel

aem

sightly

I have a component using the Rich Text Edit widget (xtype="richtext") in my project that's used across the entire site as the default text component.

The users would like to be able to insert phone links using the tel URI scheme into the text entered using this component.

The dialog allows them to do so but when the contents of the Rich Text Edit are rendered in Sightly/HTL later on, the html context is used:

{$text @ context='html'}

Once this is done, the value of my attribute is ignored.

The HTML stored in the repository is:

 <a href="tel:04242424242">Call us!</a>

And what's actually rendered on the page on the author instance is:

 <a>Call us!</a>

on the publish instance, the tag gets removed altogether because of the link checker.

Changing the context to unsafe causes the href to render but it's not a solution I'm willing to accept. The component is used in a lot of places and I want to be sure the XSS protection is sufficient.

Is there a way I can affect the way the html context in HTL treats telephone links?

I tried adding an extra regular expression to the overlay of apps/cq/xssprotection/config.xml:

<regexp name="onsiteURL" value="([\p{L}\p{N}\\\.\#@\$%\+&amp;;\-_~,\?=/!]+|\#(\w)+)"/>
<regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)[\p{L}\p{N}]+[\p{L}\p{N}\p{Zs}\.\#@\$%\+&amp;;:\-_~,\?=/!]*(\s)*"/>
<regexp name="telephoneLink" value="tel:\+?[0-9]+"/>

and further on:

<attribute name="href">
    <regexp-list>
        <regexp name="onsiteURL"/>
        <regexp name="offsiteURL"/>
        <regexp name="telephoneLink"/>
    </regexp-list>
    <!-- Skipped for brevity -->
</attribute>

but that doesn't seem to affect the way the Sightly/HTL escapes strings in the html context.

I've also tried overlaying the Sling xss rules located in /libs/sling/xss/config.xml but had no luck either.

How can it be done?

like image 640
toniedzwiedz Avatar asked Sep 16 '16 15:09

toniedzwiedz

1 Answers

There are two xss protection config files:

  1. /libs/cq/xssprotection/config.xml
  2. /libs/sling/xss/config.xml

Sightly is using the second one, which means that you need to overlay it at path /apps/sling/xss/config.xml

What is worth mentioning is that new configuration seems to be applied only after restart of your aem instance.

like image 131
Blazej Kacikowski Avatar answered Oct 16 '22 17:10

Blazej Kacikowski
Sign in to Comment

Related questions

AEM/CQ Maven Project Structure -- Multiple JCR Node Sub-Modules
How to build CQ.Dialog from the dialog json in javascript?
AEM6 component allowedChildren not working
Inject JCR Properties with colon in Sling Model
403 Response From Adobe Experience Manager OAuth 2 Token Endpoint
Is it possible to map a single dialog field to multiple JCR properties without using custom widgets?
Programmatically add node in AEM?
Transitive Dependency: Using Elasticsearch Rest High Client problem in AEM
maven-scr-plugin fails with SCRDescriptorException "unable to scan files ... Class file format probably not supported by ASM ?"
WCM use class can be used wherever we can use sling models.Which one should be preferred and why?
CQ5 preload a parsys with components
How does Apache Sling script resolving rules work?
Multiple Interface Implementations - AEM/CQ - OSGi
JCR API or Apache Sling
How to implement a custom AdapterFactory for Sling Resource?
How to activate programmatically a page in cq5 workflow
OSGi container and application server container in AEM
How to get the CQ5 userInfo in java or jsp by using jackrabbit
Issue with installing AEM 6
Which config is applied when number of matched run modes is the same

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!