AEM 6.4 Forms has introduced substantial security checks to prevent cross-site scripting (XSS) attacks. These improvements can block some valid HTTP requests for customers using custom components in AEM Forms. If an HTTP request is blocked, the ‘Got Exception while Validating XSS’ message appears in the server logs. For example,
Got Exception while Validating XSS: HTTP parameter name: params[browserLocale]: Invalid input. Please conform to regex ^[a-zA-Z0-9_]{1,32}$ with a maximum length of 100: org.owasp.esapi.errors.ValidationException: HTTP parameter name: params[browserLocale]: Invalid input. Please conform to regex ^[a-zA-Z0-9_]{1,32}$ with a maximum length of 100
To resolve the issue, you can manually remove the security checks to allow all HTTP requests. Removing the security checks makes the system vulnerable to cross-site scripting (XSS) attacks. It is recommended to remove the security checks only as a temporary solution. Contact Adobe support for a permanent solution.
Perform the following steps to temporarily remove security checks:
-
Set the value of the following properties property to^[\\s\\S]*$ . For example, Validator. HTTPParameterName =^[\\s\\S]*$
- Validator.HTTPQueryString
- Validator.PMCallParameterName
- Validator.PMCallParameterValue
- Validator.HTTPParameterName
- Validator.HTTPParameterValue
- Validator.xssSafeString
Save and close the files.