What is the concern about letting links be allowed from RTE to a component output? Typically links established in RTE are rendered to the component without a concern. Esp if you are writing a text component where the link needs to be live in the web site.
We can surely add the href attribute to xss config file and it will work. Issue is if they want all HTML tags to be allowed, we will end up updating the xss file every single time.
Is there a way to bypass this so that the xss filter does not strip the output on publisher? Or adding needed attributes to xss is the only way to do it.
Believe adding the attributes is the way to go.
In addition - we have updated Article to show use of HTML tags in a RTE that is part of a MF - see here - Adobe Experience Manager Help | Creating an AEM 6.2 HTML Template Language component that uses a Multi-Field dialog (this is for AEM 6.2 - we will do the same for AEM 6.3 soon)
Worth reading:- XSS Filter issue with the target attribute of the a tag
// Copy /libs/cq/xssprotection/config.xml to /apps/cq/xssprotection/config.xml.
In the common-attributes section, add the following target attribute declaration.
<regexp value="[a-zA-Z0-9-_\$]+" />
ind the a tag declaration by searching the term <tag name="a".
Add the line below in the list of attributes:
<attribute name="target" />
Save the file. Now, the link will open in a new window if the option is selected.