This is an automated email from the ASF dual-hosted git repository. rombert pushed a commit to branch issue/SLING-12276 in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit 40624588ff917e1dbd683222607e23f12849594e Author: Robert Munteanu <romb...@apache.org> AuthorDate: Tue Mar 26 09:50:38 2024 +0100 SLING-12276 - Update to java-html-sanitizer 20240325.1 - remove shade plugin configuration - stop embedding guava classes - rework our overrides to no longer use Guava Bundle size is down from 4.1 to 1.9 MB --- bnd.bnd | 8 ----- pom.xml | 35 +--------------------- .../sling/xss/impl/AntiSamyPolicyAdapter.java | 13 ++++---- .../org/apache/sling/xss/impl/HtmlSanitizer.java | 17 +++++------ .../html/DynamicAttributesSanitizerPolicy.java | 9 ++---- 5 files changed, 18 insertions(+), 64 deletions(-) diff --git a/bnd.bnd b/bnd.bnd index 1c193b8..5463402 100644 --- a/bnd.bnd +++ b/bnd.bnd @@ -35,14 +35,6 @@ Import-Package: !bsh, \ * Private-Package: org.apache.sling.xss.impl, \ org.apache.batik.*, \ - com.google.common.base, \ - com.google.common.collect, \ - com.google.common.io, \ - com.google.common.base.internal, \ - com.google.common.graph, \ - com.google.common.hash, \ - com.google.common.math, \ - com.google.common.primitives, \ org.w3c.css.sac, \ org.apache.commons.beanutils.*, \ org.apache.commons.configuration.*, \ diff --git a/pom.xml b/pom.xml index 593f7aa..9469da2 100644 --- a/pom.xml +++ b/pom.xml @@ -169,33 +169,6 @@ </includes> </configuration> </plugin> - <!-- Shade 3rdparty libs to avoid classpath conflicts in unit tests --> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-shade-plugin</artifactId> - <configuration> - <artifactSet> - <includes> - <include>com.google.guava:*</include> - </includes> - </artifactSet> - <createSourcesJar>true</createSourcesJar> - <relocations> - <relocation> - <pattern>com.google.common</pattern> - <shadedPattern>slingxss.com.google.common</shadedPattern> - </relocation> - </relocations> - </configuration> - <executions> - <execution> - <phase>package</phase> - <goals> - <goal>shade</goal> - </goals> - </execution> - </executions> - </plugin> </plugins> </build> @@ -206,7 +179,7 @@ <dependency> <groupId>com.googlecode.owasp-java-html-sanitizer</groupId> <artifactId>owasp-java-html-sanitizer</artifactId> - <version>20220608.1</version> + <version>20240325.1</version> <scope>provided</scope> </dependency> <dependency> @@ -359,12 +332,6 @@ <version>3.2.3</version> <scope>provided</scope> </dependency> - <dependency> - <groupId>com.google.guava</groupId> - <artifactId>guava</artifactId> - <version>32.1.3-jre</version> - <scope>provided</scope> - </dependency> <dependency> <groupId>org.junit.jupiter</groupId> <artifactId>junit-jupiter</artifactId> diff --git a/src/main/java/org/apache/sling/xss/impl/AntiSamyPolicyAdapter.java b/src/main/java/org/apache/sling/xss/impl/AntiSamyPolicyAdapter.java index 19504f1..5a682a3 100644 --- a/src/main/java/org/apache/sling/xss/impl/AntiSamyPolicyAdapter.java +++ b/src/main/java/org/apache/sling/xss/impl/AntiSamyPolicyAdapter.java @@ -23,6 +23,7 @@ import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.function.Predicate; import java.util.regex.Pattern; import org.apache.sling.xss.impl.style.CssValidator; @@ -34,8 +35,6 @@ import org.owasp.html.AttributePolicy; import org.owasp.html.HtmlPolicyBuilder; import org.owasp.html.PolicyFactory; -import com.google.common.base.Predicate; - import sun.misc.Unsafe; public class AntiSamyPolicyAdapter { @@ -210,7 +209,7 @@ public class AntiSamyPolicyAdapter { private static Predicate<String> matchesToPatterns(List<Pattern> patternList) { return new Predicate<String>() { @Override - public boolean apply(String s) { + public boolean test(String s) { for (Pattern pattern : patternList) { if (pattern.matcher(s).matches()) { return true; @@ -224,10 +223,10 @@ public class AntiSamyPolicyAdapter { private static Predicate<String> matchesPatternsOrLiterals(List<Pattern> patternList, boolean ignoreCase, List<String> literalList) { return new Predicate<String>() { @Override - public boolean apply(String s) { + public boolean test(String s) { // check if the string matches to the pattern or one of the literal s = ignoreCase ? s.toLowerCase() : s; - return matchesToPatterns(patternList).apply(s) || literalList.contains(s); + return matchesToPatterns(patternList).test(s) || literalList.contains(s); } }; } @@ -237,14 +236,14 @@ public class AntiSamyPolicyAdapter { @Override public @Nullable String apply(String elementName, String attributeName, String value) { if (!literalList.isEmpty() && !patternList.isEmpty()) { - return matchesPatternsOrLiterals(patternList, ignoreCase, literalList).apply(value) ? value : null; + return matchesPatternsOrLiterals(patternList, ignoreCase, literalList).test(value) ? value : null; } else if (!literalList.isEmpty()) { value = ignoreCase ? value.toLowerCase() : value; return literalList.contains(value) ? value : null; } else if (!patternList.isEmpty()) { - return matchesToPatterns(patternList).apply(value) ? value : null; + return matchesToPatterns(patternList).test(value) ? value : null; } return null; } diff --git a/src/main/java/org/apache/sling/xss/impl/HtmlSanitizer.java b/src/main/java/org/apache/sling/xss/impl/HtmlSanitizer.java index 777068a..a9cd975 100644 --- a/src/main/java/org/apache/sling/xss/impl/HtmlSanitizer.java +++ b/src/main/java/org/apache/sling/xss/impl/HtmlSanitizer.java @@ -19,7 +19,9 @@ package org.apache.sling.xss.impl; import java.lang.reflect.Field; +import java.util.Map; import java.util.Objects; +import java.util.Set; import org.apache.sling.xss.impl.xml.AntiSamyPolicy; import org.owasp.html.DynamicAttributesSanitizerPolicy; @@ -28,14 +30,11 @@ import org.owasp.html.HtmlStreamEventReceiver; import org.owasp.html.HtmlStreamRenderer; import org.owasp.html.PolicyFactory; -import com.google.common.collect.ImmutableMap; -import com.google.common.collect.ImmutableSet; - public class HtmlSanitizer { private AntiSamyPolicyAdapter customPolicy; - private ImmutableMap policies; - private ImmutableSet<String> textContainers; + private Map policies; + private Set<String> textContainers; public HtmlSanitizer(AntiSamyPolicy policy) { this.customPolicy = new AntiSamyPolicyAdapter(policy); @@ -54,23 +53,23 @@ public class HtmlSanitizer { return new SanitizedResult(sb.toString(), dynamicPolicy.getNumberOfErrors()); } - private ImmutableSet<String> reflectionGetTextContainers(PolicyFactory policyFactory) { + private Set<String> reflectionGetTextContainers(PolicyFactory policyFactory) { Class<?> c = policyFactory.getClass(); try { Field field = c.getDeclaredField("textContainers"); field.setAccessible(true); - return (ImmutableSet<String>) field.get(policyFactory); + return (Set<String>) field.get(policyFactory); } catch (NoSuchFieldException | SecurityException | IllegalAccessException e) { throw new RuntimeException(e); } } - private ImmutableMap reflectionGetPolicies(PolicyFactory policyFactory) { + private Map reflectionGetPolicies(PolicyFactory policyFactory) { Class<?> c = policyFactory.getClass(); try { Field field = c.getDeclaredField("policies"); field.setAccessible(true); - return (ImmutableMap) field.get(policyFactory); + return (Map) field.get(policyFactory); } catch (NoSuchFieldException | SecurityException | IllegalAccessException e) { throw new RuntimeException(e); } diff --git a/src/main/java/org/owasp/html/DynamicAttributesSanitizerPolicy.java b/src/main/java/org/owasp/html/DynamicAttributesSanitizerPolicy.java index cd8b460..41f22ba 100644 --- a/src/main/java/org/owasp/html/DynamicAttributesSanitizerPolicy.java +++ b/src/main/java/org/owasp/html/DynamicAttributesSanitizerPolicy.java @@ -19,18 +19,15 @@ package org.owasp.html; import java.lang.reflect.InvocationTargetException; - import java.lang.reflect.Method; import java.util.List; import java.util.ListIterator; import java.util.Map; import java.util.Map.Entry; +import java.util.Set; import org.jetbrains.annotations.Nullable; -import com.google.common.collect.ImmutableMap; -import com.google.common.collect.ImmutableSet; - /** * Extends the default policy to support dynamic attributes. * @@ -47,8 +44,8 @@ public class DynamicAttributesSanitizerPolicy extends ElementAndAttributePolicyB private int numberOfErrors; public DynamicAttributesSanitizerPolicy(HtmlStreamEventReceiver out, - ImmutableMap<String, ElementAndAttributePolicies> elAndAttrPolicies, - ImmutableSet<String> allowedTextContainers, + Map<String, ElementAndAttributePolicies> elAndAttrPolicies, + Set<String> allowedTextContainers, Map<String, AttributePolicy> dynamicAttributesPolicyMap, List<String> onInvalidRemoveTagList) { super(out, elAndAttrPolicies, allowedTextContainers); this.elementAndAttrPolicies = elAndAttrPolicies;