Issue
- When we try to add some extra lines of code (output.innerHTML="";) in the web content, it is not working as expected and the innerHTML is getting removed.
- We are taken to the first line of the code resulting in not being able to edit the code related to innerHTML.
Environment
- Liferay DXP 7.4
Resolution
- The reported issue with the .innerHTML, which is being eliminated, is an expected product behavior introduced by XSS with Rich Text Editor.
- We removed some attributes and functionalities like innerHTML, onclick, onerror, onload and others due to security vulnerability issues like XSS.
- We try to follow ckeditor best practices documentation (name of this text component). The documentation strongly recommends disabling source mode to prevent XSS attacks, but since we need source mode, it is recommended to filter the content to prevent these attacks.
-
For a workaround solution, the following unofficial articles might be helpful here:
- https://stackoverflow.com/questions/718091/alternative-for-innerhtml
-
https://www.reddit.com/r/learnjavascript/comments/117akg0/alternatives_of_innerhtml/
On a side note: Please choose to follow unofficial articles at your own discretion as these threads are not the official documentation of Liferay.