Unfortunately Batik 1.16 breaks my application.
My application uses Batik to show and modify SVG graphics. The SVG
graphics are displayed and optionally saved as files. The Java
application calls Javascript functions which dynamically modify the SVG
graphics. The Javascript functions sometimes call Java functions for
complex tasks. E.g. there is a class called "SVGSupport" in my namespace
com.bjoernv.myapp which creates dimensioning in technical drawings (SVG
drawings).
Since the Batik 1.16 update only allows a static list of Java packages
and class names anymore, my "SVGSupport" class is forbidden:
See RhinoClassShutter.java changes from Batik 1.16:
[...]
private static final List<String> WHITELIST =
Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL");
[...]
/**
* Returns whether the given class is visible to scripts.
*/
public boolean visibleToScripts(String fullClassName) {
if (!WHITELIST.contains(fullClassName) &&
!fullClassName.endsWith("Permission") &&
!fullClassName.startsWith("org.")) {
return false;
}
My application initializes the SVGSupport class this way. First it needs
the custom class "Canvas" to make the RhinoInterpreter from JSVGCanvas
accessible. Then it calls interpreter.bindObject("svgsupport",
svgSupport). This function results in an exception
'org.mozilla.javascript.EvaluatorException: Access to Java class
"com.bjoernv.myapp.SVGSupport" is prohibited.':
Canvas canvas = (Canvas) svgCanvas;
RhinoInterpreter interpreter = (RhinoInterpreter)
canvas.getRhinoInterpreter();
svgSupport = new SVGSupport(svgCanvas.getSVGDocument(),
SVGDrawingsBaseView.this);
interpreter.bindObject("svgsupport", svgSupport);
package com.bjoernv.myapp;
import org.apache.batik.swing.JSVGCanvas;
import org.apache.batik.swing.svg.SVGUserAgent;
/**
* An extension of JSVGCanvas that exposes the Rhino interpreter.
* Source:
batik-*/sources/org/apache/batik/apps/svgbrowser/JSVGViewerFrame.java
*/
public class Canvas extends JSVGCanvas {
/**
* Creates a new Canvas.
*/
public Canvas(SVGUserAgent ua, boolean eventsEnabled,
boolean selectableText) {
super(ua, eventsEnabled, selectableText);
}
/**
* Creates a new Canvas.
*/
public Canvas() {
super();
}
/**
* Returns the Rhino interpreter for this canvas.
*/
public Object getRhinoInterpreter() {
if (bridgeContext == null) {
return null;
}
return bridgeContext.getInterpreter("text/ecmascript");
}
}
Currently I see only the work-around to create a package in "org.*" for
my SVGSupport class.
Wouldn't it be better to make the list of allowed and forbidden classes
(allowlist and blocklist) configurable? Sub-classing RhinoClassShutter
is of course possible, but a sub-classed RhinoClassShutter class is not
easy to inject into JSVGCanvas according to my knowledge.
Probably I am not the only user with this problem. What can you suggest?
Greetings,
Björn
---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-h...@xmlgraphics.apache.org
