Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

Automatic removal of onclick event from source of Web Content

Written By

Rishabh Agrawal

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

Issue

1. When the below content is pasted in the source of Web Content, then the onclick event gets removed from the source automatically.
Below is the original content:

<div class="Small-ButtonRSecond"><button class="Rbtn" onClick="">Read&nbsp;More<i class="bi bi-arrow-right"></i></button></div>


2. Resulting in the below output:

<div class="Small-ButtonRSecond"><button class="Rbtn">Read&nbsp;More<i class="bi bi-arrow-right"></i></button></div>

Steps to reproduce:
1. Start the clean instance of Liferay DXP 2024.Q1.5.
2. Navigate to Web Content and create Basic web content.
3. Paste the below content in the source option and see that the onClick event is being removed.
<div class="Small-ButtonRSecond"><button class="Rbtn" onClick="">Read&nbsp;More<i class="bi bi-arrow-right"></i></button></div>

Actual Results: onclick event is being removed from the source.
Expected Results: onclick event should be visible in the source.

Environment

  • 2024.Q1.5

Resolution

  1. The onclick event that is removed in DXP 2024.Q1.5 is an intended behavior in order to prevent any security risks.
  2. However, the above point is not only limited to onclick event to a button but is also applicable to other events as well. That means users cannot add any event to any element from the source tab.
  3. Some of the attributes are removed like onclick, onerror, onload, and others due to security vulnerabilities like XSS, by following the ckeditor best practices documentation.
  4. The above documentation of ckeditor strongly recommends disabling source mode to prevent XSS attacks, but since there is a need for source mode, it is recommended to filter the content to prevent these attacks.
  5. There is no alternative solution for the reported concern that allows onclick and similar events which may turn out to be a possible security threat to the entire application, and doing so could pose significant security risks to the portal.
Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?