tracker issue : CF-4064602

select a category, or use search below
(searches all categories and all time range)
Title:

getSafeHtml() input string length limited to 5000 chars

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Adam Cameron / Adam Cameron (Adam Cameron)

Created: 09/26/2015

Components: Language

Versions: 11.0

Failure Type: Usability Issue

Found In Build/Fixed In Build: CF11_Final /

Priority/Frequency: Normal / Most users will encounter

Locale/System: ALL / Platforms All

Vote Count: 5

Listed in the version 2016.0.0.297996 Issues Fixed doc
Verification notes: verified_fixed on August 22, 2019 using build 2016.0.01.298513 
Repro:
<cfscript>
raw = repeatString("x",5001);
clean = getSafeHtml(raw);
writeDump(variables);
</cfscript>

Expected:
it to work

Actual:
Error validating html input.
coldfusion.security.ESAPIUtils$HTMLValidationException: Error validating html input.
        at coldfusion.security.ESAPIUtils.getSafeHTML(ESAPIUtils.java:693)
        at coldfusion.runtime.CFPage.GetSafeHTML(CFPage.java:10984)
        at cfgetCleanHtml2ecfm926324941.runPage(D:\temp\getCleanHtml.cfm:3)
        at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:250)
        at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:736)
        at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:572)
        at coldfusion.tools.CLI.compileAndRun(CLI.java:314)
        at coldfusion.tools.CLI.main(CLI.java:189)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:483)
        at coldfusion.tools.CLIInvoker.main(CLIInvoker.java:142)
Caused by: org.owasp.validator.html.ScanException: The input was too large. The specified input was 5,001 bytes and the maximum is 5,000 bytes.

This is controlled by cfusion/lib/antisamy-basic.xml, but 5000 chars is a stupidly low restrict here. Does it need to have a restriction at all? If I comment out that line, there seems to be a ceiling of 100000, which is still a bit light, but I imagine it's a restriction of the library you're using.

At a minimum you need to document this stupidly low threshold you've set, and how to remove it. But you should also do the same with CF itself: remove the restriction.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4064602

External Customer Info:
External Company:  
External Customer Name: Adam Cameron
External Customer Email:  
External Test Config: My Hardware and Environment details:

Attachments:

Comments:

This requires manual configuration in a not obvious place. Because of this issue, configuration for a site cannot be consolidated in application.cfc. Furthermore there is no way to see or change this in the administrator
Vote by External U.
5720 | September 26, 2015 11:36:55 AM GMT
+1 ..........................
Vote by External U.
5721 | September 26, 2015 12:44:36 PM GMT
+1 - the character limit is too low, even when maxInputSize is commented-out in antisamy-basic.xml
Vote by External U.
5722 | September 27, 2015 01:45:02 PM GMT
Hi Adam, Thanks for the tip on antisamy-basic.xml. I also see the 100000 limit. I commented-out maxInputSize in antisamy-basic.xml and still got an error when running www.coldfusion.com's source HTML thru getSafeHtml(). It threw: ----------- Invalid HTML input. Error=The input was too large. The specified input was 211,686 bytes and the maximum is 100,000 bytes. ----------- Thanks!, -Aaron
Comment by External U.
5714 | September 27, 2015 01:48:21 PM GMT
+1 - I agree with the other comments and is impacting our sites
Vote by External U.
5723 | October 02, 2015 11:07:52 AM GMT
Adobe can you pls elaborate on what the fix is here, given there's a few moving parts in play, and a few different options for how you could address this. Ideally this info should be shared BEFORE you go ahead and do the work, TBH?
Comment by External U.
5715 | October 09, 2015 05:03:31 AM GMT
+1. . . . . . . . . . . . . .
Vote by External U.
5724 | October 09, 2015 10:56:11 AM GMT
+1 to Adam's question. What was changed? Thanks!, -Aaron
Comment by External U.
5716 | October 09, 2015 09:49:26 PM GMT
The change/fix that has been made is that, we are switching to 100,000 (100k or 1lac) which is antisamy default, from the previous value of 5000 characters. Also the same behavior will be documented as well, as mentioned below: "maxInputsize directive of antisamy specifies the maximum size of should be allowed before it gets validated. Antisamy-basic xml shipped by CF restricts the input to 5000 characters. If the input supplied to this function is greater than 5000 results in an error. One can change this value according to their need. Removing this directive from the antisamy xml sets the default limit to 100,000."
Comment by S P.
5717 | October 15, 2015 12:28:30 AM GMT
Cool, cheers for the clarification, S (very short given name you have there ;-)
Comment by External U.
5718 | October 15, 2015 01:52:22 AM GMT
The fix will be available in the next Coldfusion release. Thanks!
Comment by S P.
5719 | October 19, 2015 12:13:01 AM GMT
Hi Adobe, I've verified this is fixed in CF2016 Update 1 (build 2016.0.01.298513). Thanks!, -Aaron
Comment by Aaron N.
31146 | August 22, 2019 09:06:30 AM GMT