Lucee Antisamy xml support or getsafehtml()

Hi All,

For sanitizing html what is the best way to follow in Lucee? In CF there is getSafeHTML() and I am currently using antisamy-ebay-xml file. But to use this functionality readily in Lucee without any change in Adobe CF is difficult, is there any blog I can refer to achieve this?


I’ve been using this module since 2014. Long before Adobe added a function for it :grin:

“Long before”? It seems worth noting that the getsafehtml function came out with cf11, which was released that same year, 2014. (Indeed, cf11 came out in March, while that cbantisamy module shows having come out in November.)

But perhaps you mean you were using the module before it was released, and if so, fair enough. I just thought it might help some to know the antisamy capabilities were added to ACF in cf11, rather than only recently.

Before it was a module, it was a plugin in ColdBox. Don’t let the date on the ForgeBox package make you think it didn’t exist before then :slight_smile: I don’t know the exact date we released the plugin, but there’s links to it on StackOverflow as early as 2010 and according to, the docs were created for it in April of that year.

Ok, and that’s why I added that, “perhaps you mean you were using the module before it was released, and if so, fair enough.” :slight_smile:

It’s also why I ended saying my goal was as much to convey that such antisamy integration being built into ACF was not something new–in case that might weigh into any consideration for it to perhaps be added it to Lucee.

But I appreciate also that the existence of the Fb module may be sufficient reason for the ptb to opt NOT to add that as built-in functionality, even for the sake of compatibility. Always a line to be walked in such choices.

Right, the long-time existence of the functionality built into Adobe 8 years ago is certainly an indictment of Lucee for never implementing it (Here’s the ticket for voting). But the even longer-time functionality available as drop-in modules available to the community for the last 12 years makes me scratch my head when it’s reported as “difficult”.

For a ColdBox MVC user, you just type

CommandBox> install cbantisamy

and then go refill your coffee. For non-ColdBox users (who made the decision they didn’t need the comforts of a framework), the module is very simple and the code on Github can be easily adapted to work standalone.

@Jake01 That code lives here GitHub - coldbox-modules/cbantisamy: Leverages the AntiSamy libraries for providing XSS cleanups and I can help answer any questions you may have if you need to get it running outside of ColdBox.

the latest ESAPI ext has a new function SanitizeHTML()


That’s great news. Is there a reason Lucee didn’t follow Adobe’s BIF name, or does SanitizeHTML() have a different incompatible API?

i asked the same question, it uses a different lib, hence the different name

1 Like

Of course, only Jake can clarify what was found to be difficult. Perhaps he didn’t know of that Fb module, or perhaps he did. Perhaps he even saw the SanitizeHTML that Zack later mentions. Even if it’s as simple as changing getsafehtml to that or the methods in the Fb module, perhaps the difficulty is if Jake uses the code often.

I only weighed in to share the clarification about it not really being “new” functionality to ACF. I’ll leave the conclusion of the story here to Jake and the rest of you folks. :slight_smile:

1 Like

The real joke…

OMG This code, its 10 years old and in production…


OMG it still works


Java Developer, Didnt you refactor this? It cant be
PHP Developer, WTF!!
Python Developer, Um… Never?

Later on in a meeting…

Python Developer, Java Developer & PHP Developer, all screaming to replace the old “Working” code with 99.99999999904 percent uptime

Python Developer - This code is too simple
Java Developer - This code is too old, it needs new features
PHP Developer - This is written for children, what moron wrote this code?

CIO - That moron would be me. I expect your applications will start performing to the same standard.

1 Like

here’s the ticket for that new feature

1 Like