AEM 6.4 Forms has introduced substantial security checks to prevent cross-site scripting (XSS) attacks. These improvements can block some valid HTTP requests for customers using custom components in AEM Forms. If an HTTP request is blocked, the ‘Got Exception while Validating XSS’ message appears in the server logs. For example,  

Got Exception while Validating XSS: HTTP parameter name: params[browserLocale]: Invalid input. Please conform to regex ^[a-zA-Z0-9_]{1,32}$ with a maximum length of 100: org.owasp.esapi.errors.ValidationException: HTTP parameter name: params[browserLocale]: Invalid input. Please conform to regex ^[a-zA-Z0-9_]{1,32}$ with a maximum length of 100

To resolve the issue, you can manually remove the security checks to allow all HTTP requests. Removing the security checks makes the system vulnerable to cross-site scripting (XSS) attacks. It is recommended to remove the security checks only as a temporary solution. Contact Adobe support for a permanent solution.

Perform the following steps to temporarily remove security checks:   

  1. Stop the AEM Forms server.  

  2. Create a backup of the [AEM-Forms-Installation-Directory] \configurationManager\export\adobe-livecycle-<application server_name>.ear file.  

  3. Extract the easpi-helper-2.x.x.jar file from the adobe-livecycle-<server_name>.ear file. The location of the easpi-helper-2.x.x.jar file is different for each application server:

    Application Server Location of the easpi-helper-2.x.x.jar file
    JBoss

    adobe-livecycle-jboss.ear/lib

    Oracle WebLogic

    adobe-livecycle-weblogic.ear/APP-INF/lib

    IBM WebSphere adobe-livecycle-websphere.ear/
  4. Open the [extracted easpi-helper-2.x.x.jar]/esapi/validation.properties and [extracted easpi-helper-2.x.x.jar]/esapi/ESAPI.properties files for editing.  

  5. Set the value of the following properties  property to^[\\s\\S]*$ . For example, Validator. HTTPParameterName =^[\\s\\S]*$ 

    • Validator.HTTPQueryString
    • Validator.PMCallParameterName
    • Validator.PMCallParameterValue
    • Validator.HTTPParameterName
    • Validator.HTTPParameterValue
    • Validator.xssSafeString

    Save and close the files.

  6. Package the updated easpi-helper-2.x.x.jar in adobe-livecycle-<application server_name>.ear. Deploy the updated adobe-livecycle-<application server_name>.ear to the application server.

    Start the AEM Forms server.

Tato práce podléhá licenci Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.  Na příspěvky ze služeb Twitter™ a Facebook se nevztahují podmínky licence Creative Commons.

Právní upozornění   |   Zásady ochrany osobních údajů online