SLING-12276 - Update to java-html-sanitizer 20240325.1 (#42)
- remove shade plugin configuration
- stop embedding guava classes
- rework our overrides to no longer use Guava
- inline the new shim classes in the resulting jar.
- force the osgi.ee requirement to Java 8
diff --git a/bnd.bnd b/bnd.bnd
index 1c193b8..668c21e 100644
--- a/bnd.bnd
+++ b/bnd.bnd
@@ -35,18 +35,14 @@
*
Private-Package: org.apache.sling.xss.impl, \
org.apache.batik.*, \
- com.google.common.base, \
- com.google.common.collect, \
- com.google.common.io, \
- com.google.common.base.internal, \
- com.google.common.graph, \
- com.google.common.hash, \
- com.google.common.math, \
- com.google.common.primitives, \
org.w3c.css.sac, \
org.apache.commons.beanutils.*, \
org.apache.commons.configuration.*, \
org.apache.commons.logging.impl, \
org.owasp.esapi.*;-split-package:=merge-first, \
org.owasp.validator.*, \
+ org.owasp.shim;-split-package:=merge-first, \
org.owasp.html.*;-split-package:=merge-first
+# Override Java 10 requirement detected due to java10 shim
+# as it is only used at runtime if applicable
+Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))"
diff --git a/pom.xml b/pom.xml
index 593f7aa..859bf1b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -80,7 +80,11 @@
<ignore>org.apache.avalon.*</ignore>
<ignore>org.apache.log.*</ignore>
<ignore>org.owasp.validator.html.*</ignore>
- <ignore>org.w3c.dom.svg.*</ignore>
+ <ignore>org.w3c.dom.svg.*</ignore>
+ <!-- Classes with newer method signatures dynamically loaded by the java-html-sanitizer java10 shim -->
+ <ignore>java.util.Set</ignore>
+ <ignore>java.util.Map</ignore>
+ <ignore>java.util.List</ignore>
</ignores>
<annotations>com.google.common.hash.IgnoreJRERequirement</annotations>
</configuration>
@@ -169,33 +173,6 @@
</includes>
</configuration>
</plugin>
- <!-- Shade 3rdparty libs to avoid classpath conflicts in unit tests -->
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-shade-plugin</artifactId>
- <configuration>
- <artifactSet>
- <includes>
- <include>com.google.guava:*</include>
- </includes>
- </artifactSet>
- <createSourcesJar>true</createSourcesJar>
- <relocations>
- <relocation>
- <pattern>com.google.common</pattern>
- <shadedPattern>slingxss.com.google.common</shadedPattern>
- </relocation>
- </relocations>
- </configuration>
- <executions>
- <execution>
- <phase>package</phase>
- <goals>
- <goal>shade</goal>
- </goals>
- </execution>
- </executions>
- </plugin>
</plugins>
</build>
@@ -206,7 +183,7 @@
<dependency>
<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
<artifactId>owasp-java-html-sanitizer</artifactId>
- <version>20220608.1</version>
+ <version>20240325.1</version>
<scope>provided</scope>
</dependency>
<dependency>
@@ -360,12 +337,6 @@
<scope>provided</scope>
</dependency>
<dependency>
- <groupId>com.google.guava</groupId>
- <artifactId>guava</artifactId>
- <version>32.1.3-jre</version>
- <scope>provided</scope>
- </dependency>
- <dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter</artifactId>
<version>5.8.2</version>
diff --git a/src/main/java/org/apache/sling/xss/impl/AntiSamyPolicyAdapter.java b/src/main/java/org/apache/sling/xss/impl/AntiSamyPolicyAdapter.java
index 19504f1..5a682a3 100644
--- a/src/main/java/org/apache/sling/xss/impl/AntiSamyPolicyAdapter.java
+++ b/src/main/java/org/apache/sling/xss/impl/AntiSamyPolicyAdapter.java
@@ -23,6 +23,7 @@
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import java.util.function.Predicate;
import java.util.regex.Pattern;
import org.apache.sling.xss.impl.style.CssValidator;
@@ -34,8 +35,6 @@
import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.PolicyFactory;
-import com.google.common.base.Predicate;
-
import sun.misc.Unsafe;
public class AntiSamyPolicyAdapter {
@@ -210,7 +209,7 @@
private static Predicate<String> matchesToPatterns(List<Pattern> patternList) {
return new Predicate<String>() {
@Override
- public boolean apply(String s) {
+ public boolean test(String s) {
for (Pattern pattern : patternList) {
if (pattern.matcher(s).matches()) {
return true;
@@ -224,10 +223,10 @@
private static Predicate<String> matchesPatternsOrLiterals(List<Pattern> patternList, boolean ignoreCase, List<String> literalList) {
return new Predicate<String>() {
@Override
- public boolean apply(String s) {
+ public boolean test(String s) {
// check if the string matches to the pattern or one of the literal
s = ignoreCase ? s.toLowerCase() : s;
- return matchesToPatterns(patternList).apply(s) || literalList.contains(s);
+ return matchesToPatterns(patternList).test(s) || literalList.contains(s);
}
};
}
@@ -237,14 +236,14 @@
@Override
public @Nullable String apply(String elementName, String attributeName, String value) {
if (!literalList.isEmpty() && !patternList.isEmpty()) {
- return matchesPatternsOrLiterals(patternList, ignoreCase, literalList).apply(value) ? value : null;
+ return matchesPatternsOrLiterals(patternList, ignoreCase, literalList).test(value) ? value : null;
} else if (!literalList.isEmpty()) {
value = ignoreCase ? value.toLowerCase() : value;
return literalList.contains(value) ? value : null;
} else if (!patternList.isEmpty()) {
- return matchesToPatterns(patternList).apply(value) ? value : null;
+ return matchesToPatterns(patternList).test(value) ? value : null;
}
return null;
}
diff --git a/src/main/java/org/apache/sling/xss/impl/HtmlSanitizer.java b/src/main/java/org/apache/sling/xss/impl/HtmlSanitizer.java
index 777068a..a9cd975 100644
--- a/src/main/java/org/apache/sling/xss/impl/HtmlSanitizer.java
+++ b/src/main/java/org/apache/sling/xss/impl/HtmlSanitizer.java
@@ -19,7 +19,9 @@
package org.apache.sling.xss.impl;
import java.lang.reflect.Field;
+import java.util.Map;
import java.util.Objects;
+import java.util.Set;
import org.apache.sling.xss.impl.xml.AntiSamyPolicy;
import org.owasp.html.DynamicAttributesSanitizerPolicy;
@@ -28,14 +30,11 @@
import org.owasp.html.HtmlStreamRenderer;
import org.owasp.html.PolicyFactory;
-import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.ImmutableSet;
-
public class HtmlSanitizer {
private AntiSamyPolicyAdapter customPolicy;
- private ImmutableMap policies;
- private ImmutableSet<String> textContainers;
+ private Map policies;
+ private Set<String> textContainers;
public HtmlSanitizer(AntiSamyPolicy policy) {
this.customPolicy = new AntiSamyPolicyAdapter(policy);
@@ -54,23 +53,23 @@
return new SanitizedResult(sb.toString(), dynamicPolicy.getNumberOfErrors());
}
- private ImmutableSet<String> reflectionGetTextContainers(PolicyFactory policyFactory) {
+ private Set<String> reflectionGetTextContainers(PolicyFactory policyFactory) {
Class<?> c = policyFactory.getClass();
try {
Field field = c.getDeclaredField("textContainers");
field.setAccessible(true);
- return (ImmutableSet<String>) field.get(policyFactory);
+ return (Set<String>) field.get(policyFactory);
} catch (NoSuchFieldException | SecurityException | IllegalAccessException e) {
throw new RuntimeException(e);
}
}
- private ImmutableMap reflectionGetPolicies(PolicyFactory policyFactory) {
+ private Map reflectionGetPolicies(PolicyFactory policyFactory) {
Class<?> c = policyFactory.getClass();
try {
Field field = c.getDeclaredField("policies");
field.setAccessible(true);
- return (ImmutableMap) field.get(policyFactory);
+ return (Map) field.get(policyFactory);
} catch (NoSuchFieldException | SecurityException | IllegalAccessException e) {
throw new RuntimeException(e);
}
diff --git a/src/main/java/org/owasp/html/DynamicAttributesSanitizerPolicy.java b/src/main/java/org/owasp/html/DynamicAttributesSanitizerPolicy.java
index cd8b460..41f22ba 100644
--- a/src/main/java/org/owasp/html/DynamicAttributesSanitizerPolicy.java
+++ b/src/main/java/org/owasp/html/DynamicAttributesSanitizerPolicy.java
@@ -19,18 +19,15 @@
package org.owasp.html;
import java.lang.reflect.InvocationTargetException;
-
import java.lang.reflect.Method;
import java.util.List;
import java.util.ListIterator;
import java.util.Map;
import java.util.Map.Entry;
+import java.util.Set;
import org.jetbrains.annotations.Nullable;
-import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.ImmutableSet;
-
/**
* Extends the default policy to support dynamic attributes.
*
@@ -47,8 +44,8 @@
private int numberOfErrors;
public DynamicAttributesSanitizerPolicy(HtmlStreamEventReceiver out,
- ImmutableMap<String, ElementAndAttributePolicies> elAndAttrPolicies,
- ImmutableSet<String> allowedTextContainers,
+ Map<String, ElementAndAttributePolicies> elAndAttrPolicies,
+ Set<String> allowedTextContainers,
Map<String, AttributePolicy> dynamicAttributesPolicyMap, List<String> onInvalidRemoveTagList) {
super(out, elAndAttrPolicies, allowedTextContainers);
this.elementAndAttrPolicies = elAndAttrPolicies;