Rendering of "onclick" in "(% ... %)" broken in 14.x

NorSch · January 9, 2023, 11:03pm

The easy construction to generate some clickable elements to call a javascript routine by something like

(% onclick="toggleElement('one')" style="color:blue" %)toogle(%%)

does not work in XWiki 14.10.2 any more as the rendered HTML is

<span data-xwiki-translated-attribute-onclick="toggleElement('one')" style="color:blue">toogle</span>

The generated element is not clickable!

The workaround by

{{html clean="false"}}
<span  onclick="toggleElement('one')" style="color:blue" >toogle</span>
{{/html}}

generates the old XWiki-13 HTML Code:

<span onclick="toggleElement('one')" style="color:blue">toogle</span>

Is there an easy way to get the “onclick” attribute into the rendered code back?

Manually generating HTML-Code is sometimes complex, e.g clickable table elements of a wiki table.

Thanks for help

Norbert

MichaelHamann · January 10, 2023, 9:10am

Unfortunately, we had to restrict supported attributes in XWiki syntax to a list of allowed attributes for security reasons in XWiki 14.6. There are basically two options if you want to have the old behavior back:

Allowing just onclick by setting xml.htmlElementSanitizer.extraAllowedAttributes = onclick
Allowing all HTML attributes and elements by setting xml.htmlElementSanitizer = insecure.
HTML elements are primarily relevant for HTML macros authored by users without script right as they use the same cleaning.

Note that both options will introduce the possibility for cross site scripting (XSS) attacks by anyone who can write XWiki syntax. Depending on the configuration of your wiki, this can include guests when comments are allowed by guests.

If you don’t want to allow XSS, you could add a JSX (either just on that document or even on the whole wiki) that, e.g., looks for all elements with an attribute data-toggle-element and adds an onclick-handler to all these elements to toggle the element indicated in the attribute.

vmassol · January 10, 2023, 9:14am

The reference documentation is at https://extensions.xwiki.org/xwiki/bin/view/Extension/XML%20Module#HHTMLCleaning

NorSch · January 10, 2023, 10:40am

Thanks,
after xml.htmlElementSanitizer.extraAllowedAttributes = onclick in xwiki.properties I got the the old behavior.

A remark: As the workaround (see above) is working in XWiki 14.10, the safety targets were not fully achieved.

Norbert

MichaelHamann · January 10, 2023, 10:44am

The workaround only works because the last author of the document containing the HTML macro has script right. If the macro was created by a user without script right or in a restricted context (like a comment), the onclick attribute would have been removed in the output (the clean-parameter is ignored in this case).