tracker issue : CF-4160212

select a category, or use search below
(searches all categories and all time range)

Coldfusion 11 ships with outdated version of Antisamy library

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): David Mitchell / David Mitchell (David Mitchell)

Created: 06/01/2016

Components: Security

Versions: 11.0

Failure Type: Data Corruption

Found In Build/Fixed In Build: CF11_Final /

Priority/Frequency: Major / All users will encounter

Locale/System: English / Windows 10 64 bit

Vote Count: 0

Related Bugs:
CF-4160218 - Similar to

Problem Description:

The version of Antisamy which ships with CF11 is 1.4.4.  This version was released in early 2011 (see:  The latest version is 1.5.3.

Version 1.4.4 of this lib has a couple of issues, the most egregious of these is the encoding of characters after the scan method is run.  Characters such as the smart quote (’, rsquo), some characters with diacritics (ä, auml) and smart dashes (–, ndash).  (Note this list is not exhaustive)

Steps to Reproduce:


		sanitizer = createObject("java", "org.owasp.validator.html.AntiSamy");
		policy = "C:\ColdFusion11\cfusion\lib\antisamy-basic.xml";

		rs = ["–", "’", "é", "ä", "õ"];

		for (r in rs){
			writeDump( getSafeHTML(r) );

			r = variables.sanitizer.scan(toString(r), variables.policy).getCleanHTML();


Actual Result:

the html encoded values are returned

Expected Result:

the text, unaltered should be returned

Any Workarounds:

We have replaced the antisamy-1.4.4.jar file with the 1.5.3 version

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4160212

External Customer Info:
External Company:  
External Customer Name: David Mitchell
External Customer Email:  
External Test Config: My Hardware and Environment details:



The fix will be available in the upcoming update of ColdFusion 11. Thanks!
Comment by S P.
2524 | August 08, 2016 04:27:10 AM GMT