根据RTF小部件的输入在HTL中呈现电话链接 [英] Rendering telephone links in HTL based on input from a Rich Text widget
问题描述
我在我的项目中有一个使用Rich Text Edit小部件( xtype = richtext )的组件,该组件在整个网站上都用作默认文本组件。
用户希望能够使用 tel URI方案将电话链接插入使用此组件输入的文本中。
对话框允许他们这样做,但是稍后在Sightly / HTL中呈现Rich Text Edit的内容时, html 上下文:
{$ text @ context ='html'}
完成后,我的属性值将被忽略。
存储在存储库中的HTML是:
< a href = tel:04242424242>给我们打电话! a>
作者实例页面上实际呈现的是:
< a>给我们打电话!< / a>
在发布商上,由于链接检查器,标记被完全删除。
将上下文更改为不安全会导致 href 呈现,但这不是解决方案我愿意接受。该组件已在很多地方使用,我想确保XSS保护足够。
有没有办法影响<$ c $ HTL中的c> html 上下文可以处理电话链接吗?
我尝试在 app的覆盖图中添加一个额外的正则表达式/cq/xssprotection/config.xml :
< regexp name = onsiteURL value = ([[\p {L} \p {N} \\\。\#@\$%\+& amp; \-_〜,\?= /! ] + | \#(\w)+) />
< regexp name = offsiteURL value =(\s)*((ht | f)tp(s?):// | mailto:)[\p {L} \p { N}] + [\p{L}\p{N}\p{Zs}\。\#@\$%\+& ;;:\-_〜,\ \?= /!] *(\s)* />
< regexp name = telephoneLink value = tel:\ +?[0-9] + />
并进一步:
<属性名称= href>
< regexp-list>
< regexp name = onsiteURL />
< regexp name = offsiteURL />
< regexp name = telephoneLink />
< / regexp-list>
< ;!-为简洁起见->
< / attribute>
但这似乎并不影响Sightly / HTL在<$ c中转义字符串的方式$ c> html 上下文。
我还尝试覆盖位于 / libs / sling中的Sling xss规则/xss/config.xml 但也没有运气。
怎么办?
有两个xss保护配置文件:
-
/libs/cq/xssprotection/config.xml -
/libs/sling/xss/config.xml
Sightly正在使用第二个,这意味着您需要将其覆盖在路径 / apps /sling/xss/config.xml
值得一提的是,新配置似乎仅在aem实例重启后才应用。
I have a component using the Rich Text Edit widget (xtype="richtext") in my project that's used across the entire site as the default text component.
The users would like to be able to insert phone links using the tel URI scheme into the text entered using this component.
The dialog allows them to do so but when the contents of the Rich Text Edit are rendered in Sightly/HTL later on, the html context is used:
{$text @ context='html'}
Once this is done, the value of my attribute is ignored.
The HTML stored in the repository is:
<a href="tel:04242424242">Call us!</a>
And what's actually rendered on the page on the author instance is:
<a>Call us!</a>
on the publisher, the tag gets removed altogether because of the link checker.
Changing the context to unsafe causes the href to render but it's not a solution I'm willing to accept. The component is used in a lot of places and I want to be sure the XSS protection is sufficient.
Is there a way I can affect the way the html context in HTL treats telephone links?
I tried adding an extra regular expression to the overlay of apps/cq/xssprotection/config.xml:
<regexp name="onsiteURL" value="([\p{L}\p{N}\\\.\#@\$%\+&;\-_~,\?=/!]+|\#(\w)+)"/>
<regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)[\p{L}\p{N}]+[\p{L}\p{N}\p{Zs}\.\#@\$%\+&;:\-_~,\?=/!]*(\s)*"/>
<regexp name="telephoneLink" value="tel:\+?[0-9]+"/>
and further on:
<attribute name="href">
<regexp-list>
<regexp name="onsiteURL"/>
<regexp name="offsiteURL"/>
<regexp name="telephoneLink"/>
</regexp-list>
<!-- Skipped for brevity -->
</attribute>
but that doesn't seem to affect the way the Sightly/HTL escapes strings in the html context.
I've also tried overlaying the Sling xss rules located in /libs/sling/xss/config.xml but had no luck either.
How can it be done?
There are two xss protection config files:
/libs/cq/xssprotection/config.xml/libs/sling/xss/config.xml
Sightly is using the second one, which means that you need to overlay it at path /apps/sling/xss/config.xml
What is worth mentioning is that new configuration seems to be applied only after restart of your aem instance.
这篇关于根据RTF小部件的输入在HTL中呈现电话链接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
