All geek questions in one place

Display telephone links in HTL based on input from a Rich Text widget

I have a component using the Rich Text Edit ( xtype="richtext") widget in my project that was used throughout the site as the default text component.

Users would like to insert telephone links using the URI scheme telinto the text entered using this component.

The dialog allows them to do this, but when the Rich Text Edit content is rendered in Sightly / HTL later, the context is used html:

{$text @ context='html'}

Once this is done, the value of my attribute will be ignored.

HTML stored in the repository:

 <a href="tel:04242424242">Call us!</a>

And what is actually displayed on the author instance page:

 <a>Call us!</a>

in the publisher, the tag is completely removed due to link checking.

unsafe href, , . , , XSS .

, html HTL ?

apps/cq/xssprotection/config.xml:

<regexp name="onsiteURL" value="([\p{L}\p{N}\\\.\#@\$%\+&amp;;\-_~,\?=/!]+|\#(\w)+)"/>
<regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)[\p{L}\p{N}]+[\p{L}\p{N}\p{Zs}\.\#@\$%\+&amp;;:\-_~,\?=/!]*(\s)*"/>
<regexp name="telephoneLink" value="tel:\+?[0-9]+"/>

:

<attribute name="href">
    <regexp-list>
        <regexp name="onsiteURL"/>
        <regexp name="offsiteURL"/>
        <regexp name="telephoneLink"/>
    </regexp-list>
    <!-- Skipped for brevity -->
</attribute>

, , , Sightly/HTL html.

sling xss, /libs/sling/xss/config.xml, .

?

+4
1

xss:

  • /libs/cq/xssprotection/config.xml
  • /libs/sling/xss/config.xml

, , /apps/sling/xss/config.xml

, , -, aem.

+9

Source: https://habr.com/ru/post/1654826/

More articles:


All Articles