AEM Forms blocks valid HTTP requests

Zoeken
AEM Forms on JEE Handboek
Is van toepassing op: AEM Forms on JEE

AEM 6.4 Forms has introduced substantial security checks to prevent cross-site scripting (XSS) attacks. These improvements can block some valid HTTP requests for customers using custom components in AEM Forms. If an HTTP request is blocked, the ‘Got Exception while Validating XSS’ message appears in the server logs. For example,  

Got Exception while Validating XSS: HTTP parameter name: params[browserLocale]: Invalid input. Please conform to regex ^[a-zA-Z0-9_]{1,32}$ with a maximum length of 100: org.owasp.esapi.errors.ValidationException: HTTP parameter name: params[browserLocale]: Invalid input. Please conform to regex ^[a-zA-Z0-9_]{1,32}$ with a maximum length of 100

To resolve the issue, you can manually remove the security checks to allow all HTTP requests. Removing the security checks makes the system vulnerable to cross-site scripting (XSS) attacks. It is recommended to remove the security checks only as a temporary solution. Contact Adobe support for a permanent solution.

Perform the following steps to temporarily remove security checks:   

  1. Stop the AEM Forms server.  

  2. Create a backup of the [AEM-Forms-Installation-Directory] \configurationManager\export\adobe-livecycle-<application server_name>.ear file.  

  3. Extract the easpi-helper-2.x.x.jar file from the adobe-livecycle-<server_name>.ear file. The location of the easpi-helper-2.x.x.jar file is different for each application server:

    Application Server Location of the easpi-helper-2.x.x.jar file
    JBoss

    adobe-livecycle-jboss.ear/lib
    Oracle WebLogic

    adobe-livecycle-weblogic.ear/APP-INF/lib
    IBM WebSphere adobe-livecycle-websphere.ear/

  4. Open the [extracted easpi-helper-2.x.x.jar]/esapi/validation.properties and [extracted easpi-helper-2.x.x.jar]/esapi/ESAPI.properties files for editing.  

  5. Set the value of the following properties  property to^[\\s\\S]*$ . For example, Validator. HTTPParameterName =^[\\s\\S]*$ 

    • Validator.HTTPQueryString
    • Validator.PMCallParameterName
    • Validator.PMCallParameterValue
    • Validator.HTTPParameterName
    • Validator.HTTPParameterValue
    • Validator.xssSafeString

    Save and close the files.

  6. Package the updated easpi-helper-2.x.x.jar in adobe-livecycle-<application server_name>.ear. Deploy the updated adobe-livecycle-<application server_name>.ear to the application server.

    Start the AEM Forms server.

Dit werk is gelicentieerd onder de Creative Commons Naamsvermelding/Niet-commercieel/Gelijk delen 3.0 Unported-licentie  De voorwaarden van Creative Commons zijn niet van toepassing op Twitter™- en Facebook-berichten.

Juridische kennisgevingen   |   Online privacybeleid

Kies uw regio

Door een regio te selecteren wordt de taal en/of inhoud op Adobe.com gewijzigd.

Americas
Brasil
Canada - English
Canada - Français
Latinoamérica
México
United States
Europe, Middle East and Africa
Africa - English
België
Belgique
Belgium - English
Česká republika
Cyprus - English
Danmark
Deutschland
Eesti
España
France
Greece - English
Ireland
Israel - English
Italia
Latvija
Lietuva
Luxembourg - Deutsch
Luxembourg - English
Luxembourg - Français
Magyarország
Malta - English
Middle East and North Africa - English
Nederland
Norge
Österreich
Polska
Portugal
România
Schweiz
Slovenija
Slovensko
Suisse
Suomi
Sverige
Svizzera
Türkiye
United Kingdom
България
Россия
Україна
الشرق الأوسط وشمال أفريقيا - اللغة العربية
ישראל - עברית
Asia - Pacific
Australia
Hong Kong S.A.R. of China
India - English
New Zealand
Southeast Asia (Includes Indonesia, Malaysia, Philippines, Singapore, Thailand, and Vietnam) - English
中国
中國香港特別行政區
台灣
日本
한국
Commonwealth of Independent States
Includes Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Turkmenistan, Ukraine, Uzbekistan