Closed muenkti closed 5 years ago
@muenkti, this is not a specification bug. Depending on your platform you might need to configure the XSS library you're using for filtering markup (AntiSamy on AEM / Sling).
Hi @raducotescu ,
thanks for your hint. So I found that I can overlay the file to /apps/sling/xss/config.xml and change the section for the lists.
But maybe it is a good idea to extend the default config.xml with the elements of ol
, ul
and li
with the allowed values of the HTML spec?
I found a file with the sections like this:
<!-- List tags -->
<tag name="ul" action="validate">
<attribute name="type">
<literal-list>
<literal value="disc" />
<literal value="circle" />
<literal value="square" />
</literal-list>
</attribute>
</tag>
<tag name="ol" action="validate">
<attribute name="start">
<regexp-list>
<regexp name="number"/>
</regexp-list>
</attribute>
<attribute name="reversed">
<literal-list>
<literal value="reversed" />
<regexp-list>
<regexp name="boolean"/>
</regexp-list>
</literal-list>
</attribute>
<attribute name="type">
<literal-list>
<literal value="1" />
<literal value="a" />
<literal value="i" />
<literal value="A" />
<literal value="I" />
</literal-list>
</attribute>
</tag>
<tag name="li" action="validate">
<attribute name="value">
<regexp-list>
<regexp name="integer"/>
</regexp-list>
</attribute>
</tag>
Our Authors needed a
<ol>
list which should have a fix "start" attribute. So the html of the resource property may look like this for example:HTL removes the attributes 'start' and 'type' within context 'html'. If I use 'unsafe' the output is correct.
-> working HTL:
<div>${resource.text @ context='unsafe'}</div>
-> not working HTL:<div>${resource.text @ context='html'}</div>
Should it behave like this?