Adobe Experience Manager Sites & More

Jit_Shrestha · 10/15/15

Update: We are using AEM 6.1

After a batch import, we get the following error in /libs/cq/gui/components/endor/badge/badge.jsp which prevented the touch UI from completely loading the authoring page

java.lang.RuntimeException: Unable to scan input at org.apache.sling.xss.impl.HtmlToHtmlContentContext.filter(HtmlToHtmlContentContext.java:71) at org.apache.sling.xss.impl.XSSFilterImpl.filter(XSSFilterImpl.java:183) at org.apache.sling.xss.impl.XSSFilterImpl.filter(XSSFilterImpl.java:87) at org.apache.sling.xss.impl.XSSAPIImpl.filterHTML(XSSAPIImpl.java:332) at com.adobe.granite.xss.impl.XSSAPIImpl.filterHTML(XSSAPIImpl.java:101) at org.apache.jsp.apps.cq.gui.components.endor.badge.badge_jsp._jspService(badge_jsp.java:821) at org.apache.sling.scripting.jsp.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:725) ....

I was able to track it down to a particular line

<%=xssAPI.filterHTML(i18n.getVar(description)) %>

When I did a check for the length of the description, it was 1672444 characters. Doing a basic substring to say only 1000 characters caused the above error to go away and the touch UI to complete rendering the authoring page. Is there a character limit in xssAPI that I am not aware of?

Thanks,

Jit

Kunal_Gaba_ · 10/15/15

XSS API in AEM uses anti samy api for html encoding. The anti samy API is configured with an XML file also known as anti-samy rules. In AEM 6.1 the rules are configured in SLING-INF.content/config.xml file present in com.day.cq.cq-xssprotection-5.5.24.jar file. And as per that configuration the maximum input size allowed is 200000 bytes which is lower than the input size you are passing and that's why you see this exception.

<directive name="omitXmlDeclaration" value="true"/> <directive name="omitDoctypeDeclaration" value="true"/> <directive name="maxInputSize" value="200000"/> <directive name="useXHTML" value="true"/> <directive name="formatOutput" value="true"/>

View solution in original post

Kunal_Gaba_ · 10/15/15

XSS API in AEM uses anti samy api for html encoding. The anti samy API is configured with an XML file also known as anti-samy rules. In AEM 6.1 the rules are configured in SLING-INF.content/config.xml file present in com.day.cq.cq-xssprotection-5.5.24.jar file. And as per that configuration the maximum input size allowed is 200000 bytes which is lower than the input size you are passing and that's why you see this exception.

<directive name="omitXmlDeclaration" value="true"/> <directive name="omitDoctypeDeclaration" value="true"/> <directive name="maxInputSize" value="200000"/> <directive name="useXHTML" value="true"/> <directive name="formatOutput" value="true"/>

edubey · 10/15/15

It doesn't look like the library is restricting user with any character limit.

Here is a link to Actual Code

is there anything unusual in your string which might me causing this.

Can you try with some random string of 1672444 characters.

zaddm98685815 · 8/3/18

Hello kunal23,

I am seeing the same issue in AEM 6.3.2. I am using one of the default text component. The text size is above the specified limit in xssprotection/config.xml file. What would be the best way to update this config. Does this config change with newer version of AEM? Is it safe to override this config by creating a file in code-base?

Thank you

Adobe Experience Manager Sites & More

Large message size causing error with xssAPI.filterHTML

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe