AEM 6.5.12.0 - Sling Models Use Pojos Anti Samy Rules for Custom Tags

Goal

When adding Custom Tags via Sling Models or Use Pojos, without overlaying the Anti Samy rules and add the tags in /apps/cq/xssprotection/config.xml, you should see the following in error.log...

Github | Package Install

org.apache.sling.xss.impl.XSSFilterImpl Detected policy file change (CHANGED) at /apps/cq/xssprotection/config.xml. Updating policy handler.

org.apache.sling.xss.impl.XSSFilterImpl Installed policy from /apps/cq/xssprotection/config.xml.

GET /content/home.html HTTP/1.1] org.apache.sling.xss.impl.HtmlToHtmlContentContext AntiSamy warning: The tv3-tooltip tag has been filtered for security reasons. The contents of the tag will remain in place.

GET /content/home.html HTTP/1.1] org.apache.sling.xss.impl.HtmlToHtmlContentContext AntiSamy warning: The span tag contained an attribute that we could not process. The slot attribute has been filtered out, but the tag is still in place. The value of the attribute was "source".


No Custom Tags in AntiSamy...

<span>CREF Board of Trustees</span>
<div>The CREF Board of Trustees consists of 10 people who oversee the management of CREF.</div>


Custom Tags in AntiSamy

<tv3-tooltip id="demo-1" tip="The CREF Board of Trustees consists of 10 people who oversee the management of CREF.">
<span slot="source">CREF Board of Trustees</span>
<div>The CREF Board of Trustees consists of 10 people who oversee the management of CREF.</div>
</tv3-tooltip>


Solution

1) Create the Pojo /apps/eaem-anti-samy-model/components/basic-render-component/ExperienceAEMModel.java

package apps.eaem_anti_samy_model.components.basic_render_component;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.annotation.PostConstruct;

public class ExperienceAEMModel {
private static final Logger log = LoggerFactory.getLogger(ExperienceAEMModel.class);

public String getHtml() {
return "<tv3-tooltip id='demo-1' tip='The CREF Board of Trustees consists of 10 people who oversee the management of CREF.'>" +
"<span slot='source'>CREF Board of Trustees</span>" +
"<div>The CREF Board of Trustees consists of 10 people who oversee the management of CREF.</div>" +
"</tv3-tooltip>";
}
}


2) Create the component render script /apps/eaem-anti-samy-model/components/basic-render-component/basic-render-component.html

<div>
<h2>Experience AEM Basic Render Component</h2>
<br>
<div data-sly-use.eaemModel="apps.eaem_anti_samy_model.components.basic_render_component.ExperienceAEMModel">
${eaemModel.html @ context='html'}
</div>
</div>


3) Overlay the AntiSamy config file /apps/cq/xssprotection/config.xml and add the following....

<?xml version="1.0" encoding="ISO-8859-1" ?>

<anti-samy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="antisamy.xsd">

....
<tag-rules>
......
<tag name="tv3-tooltip" action="validate">
<attribute name="tip">
<regexp-list>
<regexp name="anything" />
</regexp-list>
</attribute>
</tag>

<tag name="span" action="validate">
<attribute name="slot">
<regexp-list>
<regexp name="anything" />
</regexp-list>
</attribute>
</tag>

</tag-rules>

</anti-samy-rules>

No comments:

Post a Comment