tracker issue : CF-4160218

select a category, or use search below
(searches all categories and all time range)

GetSafeHTML will crash on invalid XML (antisamy, nekohtml)

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): David Mitchell / David Mitchell (David Mitchell)

Created: 06/01/2016

Components: Security

Versions: 11.0

Failure Type:

Found In Build/Fixed In Build: CF11_Final /

Priority/Frequency: Normal / All users will encounter

Locale/System: English / Windows 10 64 bit

Vote Count: 0

Related Bugs:
CF-4160212 - Similar to

Problem Description:

When attempting to sanitize data the getCleanHTML (actually the underlying scan method from Antisamy) will throw an "Invalid HTML input. Error=org.w3c.dom.DOMException: INVALID_CHARACTER_ERR: An invalid or illegal XML character is specified. " exception.

Steps to Reproduce:

<cfset invalidxml = "<span 1=''>invalid</span>" />
<cfdump var="#getSafeHTML(invalidxml)#"> 

Actual Result:


Expected Result:

Remove the invalid attribute.

Any Workarounds:

We are currently adding a catch for this error then removing the entire string.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4160218

External Customer Info:
External Company:  
External Customer Name: David Mitchell
External Customer Email:  
External Test Config: My Hardware and Environment details:



The fix will be available in the upcoming ColdFusion 11 update. Thanks!
Comment by S P.
2522 | September 12, 2016 01:17:33 AM GMT