Issue
- When we try to add some extra lines of code (output.innerHTML="";) in the web content, it is not working as expected and the innerHTML is getting removed.
- We are taken to the first line of the code resulting in not being able to edit the code related to innerHTML.
Environment
- Liferay DXP 7.4
Resolution
- The reported issue with the .innerHTML, which is being eliminated, is an expected product behavior introduced by XSS with Rich Text Editor.
- We removed some attributes and functionalities like innerHTML, onclick, onerror, onload and others due to security vulnerability issues like XSS.
- We try to follow ckeditor best practices documentation (name of this text component). The documentation strongly recommends disabling source mode to prevent XSS attacks, but since we need source mode, it is recommended to filter the content to prevent these attacks.
-
For a workaround solution, the following unofficial articles might be helpful here:
- https://stackoverflow.com/questions/718091/alternative-for-innerhtml
-
https://www.reddit.com/r/learnjavascript/comments/117akg0/alternatives_of_innerhtml/
On a side note: Please choose to follow unofficial articles at your own discretion as these threads are not the official documentation of Liferay.
Additional Information
Contenido exclusivo para suscriptores.
Una Suscripción Enterprise de Liferay proporciona acceso a más de 1.500 artículos que incluyen las mejores practicas, diagnóstico de problemas y otras soluciones útiles. Inicia sesión para tener un acceso completo.
Inicia sesión