Stop the AEM Forms server.
AEM 6.4 Forms has introduced substantial security checks to prevent cross-site scripting (XSS) attacks. These improvements can block some valid HTTP requests for customers using custom components in AEM Forms. If an HTTP request is blocked, the ‘Got Exception while Validating XSS’ message appears in the server logs. For example,
Got Exception while Validating XSS: HTTP parameter name: params[browserLocale]: Invalid input. Please conform to regex ^[a-zA-Z0-9_]{1,32}$ with a maximum length of 100: org.owasp.esapi.errors.ValidationException: HTTP parameter name: params[browserLocale]: Invalid input. Please conform to regex ^[a-zA-Z0-9_]{1,32}$ with a maximum length of 100
To resolve the issue, you can manually remove the security checks to allow all HTTP requests. Removing the security checks makes the system vulnerable to cross-site scripting (XSS) attacks. It is recommended to remove the security checks only as a temporary solution. Contact Adobe support for a permanent solution.
Perform the following steps to temporarily remove security checks:
-
-
Create a backup of the [AEM-Forms-Installation-Directory] \configurationManager\export\adobe-livecycle-<application server_name>.ear file.
-
Extract the easpi-helper-2.x.x.jar file from the adobe-livecycle-<server_name>.ear file. The location of the easpi-helper-2.x.x.jar file is different for each application server:
Application Server
Location of the easpi-helper-2.x.x.jar file
JBoss
adobe-livecycle-jboss.ear/lib
Oracle WebLogic
adobe-livecycle-weblogic.ear/APP-INF/lib
IBM WebSphere
adobe-livecycle-websphere.ear/
-
Open the [extracted easpi-helper-2.x.x.jar]/esapi/validation.properties and [extracted easpi-helper-2.x.x.jar]/esapi/ESAPI.properties files for editing.
-
Set the value of the following properties property to^[\\s\\S]*$ . For example, Validator. HTTPParameterName =^[\\s\\S]*$
- Validator.HTTPQueryString
- Validator.PMCallParameterName
- Validator.PMCallParameterValue
- Validator.HTTPParameterName
- Validator.HTTPParameterValue
- Validator.xssSafeString
Save and close the files.
-
Package the updated easpi-helper-2.x.x.jar in adobe-livecycle-<application server_name>.ear. Deploy the updated adobe-livecycle-<application server_name>.ear to the application server.
Start the AEM Forms server.