coldfusioncoldfusion-11antisamy

Why is getSafeHTML() throwing an error?

I seem to be getting an error that the content is too long, but I never specified that there was a limit of 5000. 5000 is way too low anyway

Error validating html input.
Invalid HTML input. Error=The input was too large. The specified input was 6,989 bytes and the maximum is 5,000 bytes.

The error occurred in /Applications/ColdFusion11/cfusion/wwwroot/BS-4-CF/bootstrap/row.cfm: line 39

...

Called from /Applications/ColdFusion11/cfusion/wwwroot/BS-4-CF/views/theme.cfm: line 32
Called from /Applications/ColdFusion11/cfusion/wwwroot/BS-4-CF/index.cfm: line 27

 37 :                               variables.result &= '>';
 38 :                               
 39 :                               variables.result &= getSafeHTML(thisTag.GeneratedContent); // pass through of content
 40 :                               
 41 :                               variables.result &= variables.crlf & '</div><!-- /.row -->';

org.owasp.validator.html.ScanException: The input was too large. The specified input was 6,989 bytes and the maximum is 5,000 bytes. at org.owasp.validator.html.scan.AntiSamyDOMScanner.scan(AntiSamyDOMScanner.java:101) at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:107) at coldfusion.security.ESAPIUtils.getSafeHTML(ESAPIUtils.java:670) at coldfusion.runtime.CFPage.GetSafeHTML(CFPage.java:10785) at cfrow2ecfm1904818855.runPage(/Applications/ColdFusion11/cfusion/wwwroot/BS-4-CF/bootstrap/row.cfm:39)

Solution

  • Antisamy settings are stored in cfusion/lib/antisamy-basic.xml, and there's very clearly a 5000 char threshold set in there:

    <directive name="maxInputSize" value="5000"/>

    Changes to that value impact how getSafeHtml() operates.

    The second part of this is why is that threshold so stupidly low? Subjectively, I'd say it's because the Adobe ColdFusion Team aren't terribly competent, and it did not occur to them that 5000 chars of HTML is not very much these days. They would not know this as they are not web developers, and therefore are not particularly au fait with the common day-to-day usage of the software they provide. This presents itself repeatedly, at the expense of their user base.

    I have raised a bug for this: https://bugbase.adobe.com/index.cfm?event=bug&id=4064602. A good use of your time might be to go vote for it.