Below is some info to have context about the problem I am looking for solution:
"I only want to have a prod environment for contentful. the preview url is being used for UAT and Dev environments. So if the content is in the draft it will be reflected in Dev and UAT and when published it will be reflected in both environments as well as Prod".
Now the issue is there are some links in content that has a prod domain like www.[prod-domain]/blah blah, I need those URLs domain to be replaced with UAT or Dev domains in the draft (depending on environment) like www.[UAT-domain].blah blah
Is there any middleware for this? if not, what's the best way to achieve this in-app?
Salma from Contentful here!
If you use relative links in the content (e.g. /blahblah), they would automatically resolve to the current domain when navigated to on the front end.
If you're using Rich Text and outputting links in the flow of the text, you could get around the protocol requirement in the usual link formatter by creating a custom 'internal link' entry content type, which you can embed as an inline entry. For this content type, you could ask editors to provide a path to a page without the https protocol and domain, and ensure there is validation for that in the web app (using the pattern validation).
Another option would be to remove the protocol and domain from the urls when rendering on the front end to avoid the editors having to create extra entries when adding content to the Rich Text field.
Related
I'm using the free JS plugin from tinymce and interested in preventing an HTML injection with the tinymce text editor.
I've added this property to the INIT:
invalid_elements: 'script' (just for this example)
However nothing happens. The editor still "accepts" the script tag and pass it on.
I looked at https://www.tiny.cloud/docs/tinymce/6/content-filtering/#invalid_elements and it should work but I don't see any change once it's added.
Am I doing something wrong?
Is there a way to limit some HTML elements with this editor?
Any other tips on how to use that editor and prevent the malicious HTML..?
TinyMCE certainly has a variety of configuration options to help you control what content is created in the editor but you can never assume that data provided to you client side is "clean" or "safe". Nefarious people can bypass your front end and all of its validation if their goal is to cause harm to your system.
You should always configure your front end appropriately. TinyMCE has a variety of configuration options to assist with content filtering/validation (https://www.tiny.cloud/docs/configure/content-filtering/) to only allow those types of tags you want created, etc including:
https://www.tiny.cloud/docs/configure/content-filtering/#valid_elements
https://www.tiny.cloud/docs/configure/content-filtering/#extended_valid_elements
https://www.tiny.cloud/docs/configure/content-filtering/#valid_children
https://www.tiny.cloud/docs/configure/content-filtering/#schema
https://www.tiny.cloud/docs/configure/content-filtering/#invalid_elements
However, regardless of the front end design, you should always re-check submitted content on the server to ensure it is safe. There is simply no way around that need. What constitutes "safe" is likely a business decision based on what your application does and who uses it.
There are many different libraries you can use server side to do this sort of validation/cleansing so depending on your specific server side setup you can find libraries that allow you to "sanitize/purify" the submitted HTML.
I would note that TinyMCE (by default) should not allow <script> tags in your content so it is likely that such behavior could be due to your current configuration.
I have a CMS that includes some content via a self-hosted instance of Squidex. Right now, I can iframe Squidex into the CMS with proper authentication and such. The problem is that I get the whole Squidex UI (eg., the ability to create schemas and such) when I really just want the editor for a specific schema's content.
The outer CMS knows the app and schema names.
My guess is that I'd need to add a query parameter or two to the Squidex iframe URL, but I can't find documentation about what that might be.
How do I hide everything but the actual content editor bits from within the outer CMS?
I recently created a personal blog site with custom theme using HUGO (source). It deploys on netlify (link) perfectly. But I wanted to publish it on my own domain (mydomain.xyz/pen). I already have a portfolio on mydomain.xyz, therefore I want to publish on a subdomain (/pen).
I tried using github pages for that but it is showing weird result without any theme (just raw HTML).
Can someone tell me how can I resolve this issue? If necessary, I can also publish using netlify but on my own custom domain.
It sounds like the links to your static files (CSS, JS, etc.) are broken, and so the CSS isn't getting loaded. Are you setting the baseURL configuration option correctly? If this is set to the root of your domain (https://mydomain.xyz) instead of the subpage (https://mydomain.xyz/pen) then this could lead to the links being broken.
If that doesn't work, then let us know what theme you are using, and let us see your configuration file (with any sensitive info redacted). This will enable us to check if there is a problem in how your theme is displaying the static content, or whether there are any other issues with your config file that are causing the links to break.
How do you do relative links within text editor component? Adobe AEM doesn't like when I use relative links to external pages by default. It strips them out and shows the broken link symbol.
I strongly recommend you to uncheck Disable Checking in Day CQ Link Checker Transformer.
Be aware that It's your responsibility to ensure all links are valid:
Completly disable all link checking. All links are handled as valid.
This is something you want to check with your team (Devs, TAs...). It may work on your local environment and it will fail in QA, UAT and PROD as this option is not checked.
Disabling the link checker might not be a good idea as Content Authors may add broken links, which It'll break user navigation throughout the site if this is not picked during testing and regression testing.
Regarding paths, relative paths are those within the environment you're in. For instance,
/content/dam/geometrixx/banners/banner-mono.png
is a relative path, however path to Stack Overflow is outside you environment therefore is external. In order to be valid, you need to provide the full URL including the scheme, either http, https, ftp, ftps and so on. A valid external URL would be:
http://www.stackoverflow.com
More info about URLs can be found here.
While disabling the link checker will work, I'm not sure how you are referencing external websites by relative link. Relative links are on the same domain by their nature. Can you give us an example of what you mean?
The other problem with disabling the link checker is that the production deployment will likely have the link checker turned on. In this case your code will break again. You probably don't want your client/boss/whatever upset about that.
Relative links can be made to work just fine with the linkchecker. Can you post some example links? I can help you make things work properly.
This issue is quite common, if you have URL's (paths) in your domain that are NOT served by AEM. This can be files directly served by the Apache (e.g. robots.txt), Servlets creating dynamic redirects (e.g. language switcher) or another application (e.g. web shop under /shop).
First solution is to mark an individual link for the link checker as valid. Therefore you can add the following attribute to the link tag.
x-cq-linkchecker="valid" - link is marked as valid, without any
check
x-cq-linkchecker="skip"- link is ignored by the link
checker, and remains as is
e.g. Shopping Basket
Second solution is to configure special-threated link patterns in the OSGi config of the “Day CQ Link Checker Service”. In case you have a second application in the same domain, then you can specify regex-patterns matching the links to this second application. User either “Link Check Override Patterns” (not checked, but rewritten) or “Special Link Patterns” (not checked and not rewritten).
Example configuration that only links to /content/* are verified. Links that not matching ^/content/.*$ are threated as valid:
<?xml version="1.0" encoding="UTF-8"?>
<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0"
jcr:primaryType="sling:OsgiConfig"
service.special_link_prefix="[javascript:,data:,mailto:,#,<!--,${,tel:]"
service.check_override_patterns="[^system/,^(?!/content/).*$]"
/>
Fixed my issue in /system/console/configMgr# > Day CQ Link Checker Transformer > Check "Disable Checking" box.
Relative paths now work.
It seems to be quite basic problem, but I still cannot find a nice solution.
I made a component that uses a dialog property.
How could I avoid setting this property for every single page if this component is used also in template?
What I already have tried:
I set name attribute in dialog.xml to absolute path - Component stops working as standalone (dropped into parsys).
Move it to design_dialog.xml - First of all it's conceptually content, so I do not like such move, and again it doeas not make much sense for standalone versions.
Change resource path to absolute, while including in template:
<cq:include path="/content/site/somepage" resourceType="/apps/portal/components/myComponent" />
For the first look it was almost it. Instances included via parsys has it's own path, and Content for template is fetched from single resource... But where to store it, to make template code independent from pages tree structure?
Is there any other nice way to do so? or at least way to improve 3.?
To the original poster, the functionality you are looking for is now supported by Shared Component Properties in ACS AEM Commons (http://adobe-consulting-services.github.io/acs-aem-commons/features/shared-component-properties.html)
Compared to your suggested solutions:
No need for absolute property path required for SCP
Agreed these are "content" properties, so they should be stored as "content" instead of "design". SCP stores these values under the homepage node of a site, making them as genuine of content as any other piece of content.
Agreed that it is bad to have a template hard-coded to a content path of a single site, especially since this makes a multi-site implementation impossible without creating a bunch of templates. SCP does not have this problem, because each site has its own homepage under which the properties are stored.
If I understand correctly, you have a component which may work in two modes:
it may be included statically in the main page renderer via <cq:include>
it may be also dropped into some parsys.
In the first mode component should have some common configuration for all pages and in the second mode it should be configured separately per-instance. The problem is how to create such common configuration.
I think your 3rd solution is perfectly fine assuming that the component configuration is shared by all sites in your CQ instance. At some point it may be too strong assumption, eg. you may have a 3 language branches under /content/site-en, /content/site-fr and /content/site-de and you'd like to make a separate configuration for each branch.
I'd suggest following improvement to the 3rd solution: you may create the shared component under some relative path which will be the same for all pages, like /content/.../configuration/shared-component (where ... may be site1, site2 or site3). Then take first two parts of the current page path, add the /configuration/shared-component suffix and use <cq:include> to include path created in such way.
You may also take a different approach and create a common configuration page referenced by all statically included components. These components may try to find their configuration automatically (via the relative path as above) or they may have a single pathfield that references configuration page.
If you don't like these options (as they assume some site structure or they need some minimal configuration for each component), consider using HierarchyNodeInheritanceValueMap. It allows you to get property from the current resource and if there is no such property, it'll look into the same resource on ancestor pages. Using this you could configure your component just once, in the site root page and inherit configuration across the whole site.