AEM Forms blocks valid HTTP requests

AEM 6.4 Forms has introduced substantial security checks to prevent cross-site scripting (XSS) attacks. These improvements can block some valid HTTP requests for customers using custom components in AEM Forms. If an HTTP request is blocked, the ‘Got Exception while Validating XSS’ message appears in the server logs. For example,  

Got Exception while Validating XSS: HTTP parameter name: params[browserLocale]: Invalid input. Please conform to regex ^[a-zA-Z0-9_]{1,32}$ with a maximum length of 100: org.owasp.esapi.errors.ValidationException: HTTP parameter name: params[browserLocale]: Invalid input. Please conform to regex ^[a-zA-Z0-9_]{1,32}$ with a maximum length of 100

To resolve the issue, you can manually remove the security checks to allow all HTTP requests. Removing the security checks makes the system vulnerable to cross-site scripting (XSS) attacks. It is recommended to remove the security checks only as a temporary solution. Contact Adobe support for a permanent solution.

Perform the following steps to temporarily remove security checks:   

  1. Stop the AEM Forms server.  

  2. Create a backup of the [AEM-Forms-Installation-Directory] \configurationManager\export\adobe-livecycle-<application server_name>.ear file.  

  3. Extract the easpi-helper-2.x.x.jar file from the adobe-livecycle-<server_name>.ear file. The location of the easpi-helper-2.x.x.jar file is different for each application server:

    Application Server

    Location of the easpi-helper-2.x.x.jar file

    JBoss

    adobe-livecycle-jboss.ear/lib

    Oracle WebLogic

    adobe-livecycle-weblogic.ear/APP-INF/lib

    IBM WebSphere

    adobe-livecycle-websphere.ear/

  4. Open the [extracted easpi-helper-2.x.x.jar]/esapi/validation.properties and [extracted easpi-helper-2.x.x.jar]/esapi/ESAPI.properties files for editing.  

  5. Set the value of the following properties  property to^[\\s\\S]*$ . For example, Validator. HTTPParameterName =^[\\s\\S]*$ 

    • Validator.HTTPQueryString
    • Validator.PMCallParameterName
    • Validator.PMCallParameterValue
    • Validator.HTTPParameterName
    • Validator.HTTPParameterValue
    • Validator.xssSafeString

    Save and close the files.

  6. Package the updated easpi-helper-2.x.x.jar in adobe-livecycle-<application server_name>.ear. Deploy the updated adobe-livecycle-<application server_name>.ear to the application server.

    Start the AEM Forms server.

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online