Ankush Bangroo created SLING-12744:
--------------------------------------
Summary: Sling XSS is stripping away international telephone
prefix ( +tel )
Key: SLING-12744
URL: https://issues.apache.org/jira/browse/SLING-12744
Project: Sling
Issue Type: Bug
Components: XSS Protection API
Affects Versions: XSS Protection API 2.4.6
Reporter: Ankush Bangroo
Sling XSS is stripping away international telephone prefix ( +tel )
Defined a regular expression here
{code:java}
<regexp name="telURL" value="tel:[\+0-9]+"/> {code}
Added the regex:
{noformat}
<attribute name="href"> <regexp-list> <regexp name="onsiteURL"/> <regexp
name="offsiteURL"/> <regexp name="expressionURL"/> <regexp name="telURL"/>
</regexp-list> </attribute>{noformat}
We can reproduce by having a text component and following these steps
* Add the number
* Do Save
** Check the POST Call
** Check JCR
* Reopen the RTE
** Refresh the page, validate what is loaded
** Open the Dialog, check what is present in the JSON
* Save again the RTE
** Check the POST call
** Check JCR
The POST call strips away the telephone link
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
