Large message size causing error with xssAPI.filterHTML in AEM 6.1 ?

Question: After a batch import, we get the following error in /libs/cq/gui/components/endor/badge/badge.jsp which prevented the touch UI from completely loading the authoring page
java.lang.RuntimeException: Unable to scan input
at org.apache.sling.xss.impl.HtmlToHtmlContentContext.filter(HtmlToHtmlContentContext.java:71)
at org.apache.sling.xss.impl.XSSFilterImpl.filter(XSSFilterImpl.java:183)
at org.apache.sling.xss.impl.XSSFilterImpl.filter(XSSFilterImpl.java:87)
at org.apache.sling.xss.impl.XSSAPIImpl.filterHTML(XSSAPIImpl.java:332)
at com.adobe.granite.xss.impl.XSSAPIImpl.filterHTML(XSSAPIImpl.java:101)
at org.apache.jsp.apps.cq.gui.components.endor.badge.badge_jsp._jspService(badge_jsp.java:821)
at org.apache.sling.scripting.jsp.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)

Answer: XSS API in AEM uses anti-samy API for html encoding. The anti samy API is configured with an XML file also known as anti-samy rules. In AEM 6.1 the rules are configured in SLING-INF.content/config.xml file present in the com.day.cq.cq-xssprotection-5.5.24.jar file. And as per that configuration, the maximum input size allowed is 200000 bytes which is lower than the input size you are passing and that’s why you see this exception.

<directives>
<directive name=“omitXmlDeclaration” value=“true”/>
<directive name=“omitDoctypeDeclaration” value=“true”/>
<directive name=“maxInputSize” value=“200000”/>
<directive name=“useXHTML” value=“true”/>
<directive name=“formatOutput” value=“true”/>