This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
The following commit(s) were added to refs/heads/master by this push:
new 7b44bef SLING-12276 - Update to java-html-sanitizer 20240325.1 (#42)
7b44bef is described below
commit 7b44befd3ef8a530ef7b86887c6c9ffb4c99f4f4
Author: Robert Munteanu <romb...@apache.org>
AuthorDate: Fri Apr 12 13:50:10 2024 +0200
SLING-12276 - Update to java-html-sanitizer 20240325.1 (#42)
- remove shade plugin configuration
- stop embedding guava classes
- rework our overrides to no longer use Guava
- inline the new shim classes in the resulting jar.
- force the osgi.ee requirement to Java 8
---
bnd.bnd | 12 +++----
pom.xml | 41 ++++------------------
.../sling/xss/impl/AntiSamyPolicyAdapter.java | 13 ++++---
.../org/apache/sling/xss/impl/HtmlSanitizer.java | 17 +++++----
.../html/DynamicAttributesSanitizerPolicy.java | 9 ++---
5 files changed, 27 insertions(+), 65 deletions(-)
diff --git a/bnd.bnd b/bnd.bnd
index 1c193b8..668c21e 100644
--- a/bnd.bnd
+++ b/bnd.bnd
@@ -35,18 +35,14 @@ Import-Package: !bsh, \
*
Private-Package: org.apache.sling.xss.impl, \
org.apache.batik.*, \
- com.google.common.base, \
- com.google.common.collect, \
- com.google.common.io, \
- com.google.common.base.internal, \
- com.google.common.graph, \
- com.google.common.hash, \
- com.google.common.math, \
- com.google.common.primitives, \
org.w3c.css.sac, \
org.apache.commons.beanutils.*, \
org.apache.commons.configuration.*, \
org.apache.commons.logging.impl, \
org.owasp.esapi.*;-split-package:=merge-first, \
org.owasp.validator.*, \
+ org.owasp.shim;-split-package:=merge-first, \
org.owasp.html.*;-split-package:=merge-first
+# Override Java 10 requirement detected due to java10 shim
+# as it is only used at runtime if applicable
+Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"
diff --git a/pom.xml b/pom.xml
index 593f7aa..859bf1b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -80,7 +80,11 @@
<ignore>org.apache.avalon.*</ignore>
<ignore>org.apache.log.*</ignore>
<ignore>org.owasp.validator.html.*</ignore>
- <ignore>org.w3c.dom.svg.*</ignore>
+ <ignore>org.w3c.dom.svg.*</ignore>
+ <!-- Classes with newer method signatures
dynamically loaded by the java-html-sanitizer java10 shim -->
+ <ignore>java.util.Set</ignore>
+ <ignore>java.util.Map</ignore>
+ <ignore>java.util.List</ignore>
</ignores>
<annotations>com.google.common.hash.IgnoreJRERequirement</annotations>
</configuration>
@@ -169,33 +173,6 @@
</includes>
</configuration>
</plugin>
- <!-- Shade 3rdparty libs to avoid classpath conflicts in unit
tests -->
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-shade-plugin</artifactId>
- <configuration>
- <artifactSet>
- <includes>
- <include>com.google.guava:*</include>
- </includes>
- </artifactSet>
- <createSourcesJar>true</createSourcesJar>
- <relocations>
- <relocation>
- <pattern>com.google.common</pattern>
-
<shadedPattern>slingxss.com.google.common</shadedPattern>
- </relocation>
- </relocations>
- </configuration>
- <executions>
- <execution>
- <phase>package</phase>
- <goals>
- <goal>shade</goal>
- </goals>
- </execution>
- </executions>
- </plugin>
</plugins>
</build>
@@ -206,7 +183,7 @@
<dependency>
<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
<artifactId>owasp-java-html-sanitizer</artifactId>
- <version>20220608.1</version>
+ <version>20240325.1</version>
<scope>provided</scope>
</dependency>
<dependency>
@@ -359,12 +336,6 @@
<version>3.2.3</version>
<scope>provided</scope>
</dependency>
- <dependency>
- <groupId>com.google.guava</groupId>
- <artifactId>guava</artifactId>
- <version>32.1.3-jre</version>
- <scope>provided</scope>
- </dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter</artifactId>
diff --git a/src/main/java/org/apache/sling/xss/impl/AntiSamyPolicyAdapter.java
b/src/main/java/org/apache/sling/xss/impl/AntiSamyPolicyAdapter.java
index 19504f1..5a682a3 100644
--- a/src/main/java/org/apache/sling/xss/impl/AntiSamyPolicyAdapter.java
+++ b/src/main/java/org/apache/sling/xss/impl/AntiSamyPolicyAdapter.java
@@ -23,6 +23,7 @@ import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import java.util.function.Predicate;
import java.util.regex.Pattern;
import org.apache.sling.xss.impl.style.CssValidator;
@@ -34,8 +35,6 @@ import org.owasp.html.AttributePolicy;
import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.PolicyFactory;
-import com.google.common.base.Predicate;
-
import sun.misc.Unsafe;
public class AntiSamyPolicyAdapter {
@@ -210,7 +209,7 @@ public class AntiSamyPolicyAdapter {
private static Predicate<String> matchesToPatterns(List<Pattern>
patternList) {
return new Predicate<String>() {
@Override
- public boolean apply(String s) {
+ public boolean test(String s) {
for (Pattern pattern : patternList) {
if (pattern.matcher(s).matches()) {
return true;
@@ -224,10 +223,10 @@ public class AntiSamyPolicyAdapter {
private static Predicate<String> matchesPatternsOrLiterals(List<Pattern>
patternList, boolean ignoreCase, List<String> literalList) {
return new Predicate<String>() {
@Override
- public boolean apply(String s) {
+ public boolean test(String s) {
// check if the string matches to the pattern or one of the
literal
s = ignoreCase ? s.toLowerCase() : s;
- return matchesToPatterns(patternList).apply(s) ||
literalList.contains(s);
+ return matchesToPatterns(patternList).test(s) ||
literalList.contains(s);
}
};
}
@@ -237,14 +236,14 @@ public class AntiSamyPolicyAdapter {
@Override
public @Nullable String apply(String elementName, String
attributeName, String value) {
if (!literalList.isEmpty() && !patternList.isEmpty()) {
- return matchesPatternsOrLiterals(patternList, ignoreCase,
literalList).apply(value) ? value : null;
+ return matchesPatternsOrLiterals(patternList, ignoreCase,
literalList).test(value) ? value : null;
} else if (!literalList.isEmpty()) {
value = ignoreCase ? value.toLowerCase() : value;
return literalList.contains(value) ? value : null;
} else if (!patternList.isEmpty()) {
- return matchesToPatterns(patternList).apply(value) ? value
: null;
+ return matchesToPatterns(patternList).test(value) ? value
: null;
}
return null;
}
diff --git a/src/main/java/org/apache/sling/xss/impl/HtmlSanitizer.java
b/src/main/java/org/apache/sling/xss/impl/HtmlSanitizer.java
index 777068a..a9cd975 100644
--- a/src/main/java/org/apache/sling/xss/impl/HtmlSanitizer.java
+++ b/src/main/java/org/apache/sling/xss/impl/HtmlSanitizer.java
@@ -19,7 +19,9 @@
package org.apache.sling.xss.impl;
import java.lang.reflect.Field;
+import java.util.Map;
import java.util.Objects;
+import java.util.Set;
import org.apache.sling.xss.impl.xml.AntiSamyPolicy;
import org.owasp.html.DynamicAttributesSanitizerPolicy;
@@ -28,14 +30,11 @@ import org.owasp.html.HtmlStreamEventReceiver;
import org.owasp.html.HtmlStreamRenderer;
import org.owasp.html.PolicyFactory;
-import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.ImmutableSet;
-
public class HtmlSanitizer {
private AntiSamyPolicyAdapter customPolicy;
- private ImmutableMap policies;
- private ImmutableSet<String> textContainers;
+ private Map policies;
+ private Set<String> textContainers;
public HtmlSanitizer(AntiSamyPolicy policy) {
this.customPolicy = new AntiSamyPolicyAdapter(policy);
@@ -54,23 +53,23 @@ public class HtmlSanitizer {
return new SanitizedResult(sb.toString(),
dynamicPolicy.getNumberOfErrors());
}
- private ImmutableSet<String> reflectionGetTextContainers(PolicyFactory
policyFactory) {
+ private Set<String> reflectionGetTextContainers(PolicyFactory
policyFactory) {
Class<?> c = policyFactory.getClass();
try {
Field field = c.getDeclaredField("textContainers");
field.setAccessible(true);
- return (ImmutableSet<String>) field.get(policyFactory);
+ return (Set<String>) field.get(policyFactory);
} catch (NoSuchFieldException | SecurityException |
IllegalAccessException e) {
throw new RuntimeException(e);
}
}
- private ImmutableMap reflectionGetPolicies(PolicyFactory policyFactory) {
+ private Map reflectionGetPolicies(PolicyFactory policyFactory) {
Class<?> c = policyFactory.getClass();
try {
Field field = c.getDeclaredField("policies");
field.setAccessible(true);
- return (ImmutableMap) field.get(policyFactory);
+ return (Map) field.get(policyFactory);
} catch (NoSuchFieldException | SecurityException |
IllegalAccessException e) {
throw new RuntimeException(e);
}
diff --git a/src/main/java/org/owasp/html/DynamicAttributesSanitizerPolicy.java
b/src/main/java/org/owasp/html/DynamicAttributesSanitizerPolicy.java
index cd8b460..41f22ba 100644
--- a/src/main/java/org/owasp/html/DynamicAttributesSanitizerPolicy.java
+++ b/src/main/java/org/owasp/html/DynamicAttributesSanitizerPolicy.java
@@ -19,18 +19,15 @@
package org.owasp.html;
import java.lang.reflect.InvocationTargetException;
-
import java.lang.reflect.Method;
import java.util.List;
import java.util.ListIterator;
import java.util.Map;
import java.util.Map.Entry;
+import java.util.Set;
import org.jetbrains.annotations.Nullable;
-import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.ImmutableSet;
-
/**
* Extends the default policy to support dynamic attributes.
*
@@ -47,8 +44,8 @@ public class DynamicAttributesSanitizerPolicy extends
ElementAndAttributePolicyB
private int numberOfErrors;
public DynamicAttributesSanitizerPolicy(HtmlStreamEventReceiver out,
- ImmutableMap<String, ElementAndAttributePolicies> elAndAttrPolicies,
- ImmutableSet<String> allowedTextContainers,
+ Map<String, ElementAndAttributePolicies> elAndAttrPolicies,
+ Set<String> allowedTextContainers,
Map<String, AttributePolicy> dynamicAttributesPolicyMap, List<String>
onInvalidRemoveTagList) {
super(out, elAndAttrPolicies, allowedTextContainers);
this.elementAndAttrPolicies = elAndAttrPolicies;
