You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by hn...@apache.org on 2022/05/25 08:08:35 UTC
[myfaces-tobago] branch tobago-5.x updated: build(deps): update jsoup
This is an automated email from the ASF dual-hosted git repository.
hnoeth pushed a commit to branch tobago-5.x
in repository https://gitbox.apache.org/repos/asf/myfaces-tobago.git
The following commit(s) were added to refs/heads/tobago-5.x by this push:
new 96b6d4300d build(deps): update jsoup
96b6d4300d is described below
commit 96b6d4300d686041650c14f46733c71e71f00ac9
Author: Henning Noeth <hn...@apache.org>
AuthorDate: Wed May 18 15:21:25 2022 +0200
build(deps): update jsoup
* update jsoup
* use "safelist" instead of "whitelist"
"whitelist" is now deprecated
Issue: TOBAGO-2134
---
pom.xml | 2 +-
.../tobago/internal/config/TobagoConfigMerger.java | 2 +-
.../tobago/internal/config/TobagoConfigParser.java | 4 +++
.../myfaces/tobago/sanitizer/JsoupSanitizer.java | 41 ++++++++++++----------
.../myfaces/tobago/config/tobago-config-5.1.xsd | 2 +-
.../src/main/webapp/WEB-INF/tobago-config.xml | 2 +-
.../280-security/10-sanitize/Sanitize.xhtml | 2 +-
7 files changed, 31 insertions(+), 24 deletions(-)
diff --git a/pom.xml b/pom.xml
index 2c31bbf388..b1341c89b5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -273,7 +273,7 @@
<!-- jsoup HTML parser library -->
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
- <version>1.14.3</version>
+ <version>1.15.1</version>
</dependency>
<dependency>
<groupId>org.apache.myfaces.test</groupId>
diff --git a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigMerger.java b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigMerger.java
index 80a20fa459..51a4a25ebe 100644
--- a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigMerger.java
+++ b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigMerger.java
@@ -57,7 +57,7 @@ public class TobagoConfigMerger {
// default sanitizer
String sanitizerClass = JsoupSanitizer.class.getName();
Properties sanitizerProperties = new Properties();
- sanitizerProperties.setProperty("whitelist", "relaxed");
+ sanitizerProperties.setProperty("safelist", "relaxed");
for (TobagoConfigFragment fragment : fragments) {
diff --git a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java
index dd04ec2be7..ad8b08b255 100644
--- a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java
+++ b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java
@@ -445,6 +445,10 @@ public class TobagoConfigParser extends TobagoConfigEntityResolver {
case SANITIZER:
if (properties != null) {
tobagoConfig.setSanitizerProperties(properties);
+ if (properties.get("whitelist") != null) {
+ LOG.warn("<sanitizer><properties><entry key=\"whitelist\"> is deprecated:"
+ + " use <sanitizer><properties><entry key=\"safelist\"> instead.");
+ }
}
properties = null;
break;
diff --git a/tobago-core/src/main/java/org/apache/myfaces/tobago/sanitizer/JsoupSanitizer.java b/tobago-core/src/main/java/org/apache/myfaces/tobago/sanitizer/JsoupSanitizer.java
index a1d24d7bba..5cea11e63f 100644
--- a/tobago-core/src/main/java/org/apache/myfaces/tobago/sanitizer/JsoupSanitizer.java
+++ b/tobago-core/src/main/java/org/apache/myfaces/tobago/sanitizer/JsoupSanitizer.java
@@ -21,7 +21,7 @@ package org.apache.myfaces.tobago.sanitizer;
import org.apache.myfaces.tobago.exception.TobagoConfigurationException;
import org.jsoup.Jsoup;
-import org.jsoup.safety.Whitelist;
+import org.jsoup.safety.Safelist;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -35,15 +35,15 @@ public class JsoupSanitizer implements Sanitizer {
private static final Logger LOG = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
- private Whitelist whitelist;
- private String whitelistName;
+ private Safelist safelist;
+ private String safelistName;
private boolean unmodifiable = false;
@Override
public String sanitize(final String html) {
- final String safe = Jsoup.clean(html, whitelist);
+ final String safe = Jsoup.clean(html, safelist);
if (LOG.isDebugEnabled()) {
LOG.debug("Sanitized: " + safe);
}
@@ -56,22 +56,25 @@ public class JsoupSanitizer implements Sanitizer {
unmodifiable = true;
- for (final String key : configuration.stringPropertyNames()) {
+ for (String key : configuration.stringPropertyNames()) {
if ("whitelist".equals(key)) {
- whitelistName = configuration.getProperty(key);
- if ("basic".equals(whitelistName)) {
- whitelist = Whitelist.basic();
- } else if ("basicWithImages".equals(whitelistName)) {
- whitelist = Whitelist.basicWithImages();
- } else if ("none".equals(whitelistName)) {
- whitelist = Whitelist.none();
- } else if ("relaxed".equals(whitelistName)) {
- whitelist = Whitelist.relaxed();
- } else if ("simpleText".equals(whitelistName)) {
- whitelist = Whitelist.simpleText();
+ key = "safelist";
+ }
+ if ("safelist".equals(key)) {
+ safelistName = configuration.getProperty(key);
+ if ("basic".equals(safelistName)) {
+ safelist = Safelist.basic();
+ } else if ("basicWithImages".equals(safelistName)) {
+ safelist = Safelist.basicWithImages();
+ } else if ("none".equals(safelistName)) {
+ safelist = Safelist.none();
+ } else if ("relaxed".equals(safelistName)) {
+ safelist = Safelist.relaxed();
+ } else if ("simpleText".equals(safelistName)) {
+ safelist = Safelist.simpleText();
} else {
throw new TobagoConfigurationException(
- "Unknown configuration value for 'whitelist' in tobago-config.xml found! value='" + whitelistName + "'");
+ "Unknown configuration value for 'safelist' in tobago-config.xml found! value='" + safelistName + "'");
}
} else {
throw new TobagoConfigurationException(
@@ -80,7 +83,7 @@ public class JsoupSanitizer implements Sanitizer {
}
if (LOG.isInfoEnabled()) {
- LOG.warn("Using whitelist '" + whitelistName + "' for sanitizing!");
+ LOG.warn("Using safelist '" + safelistName + "' for sanitizing!");
}
}
@@ -92,7 +95,7 @@ public class JsoupSanitizer implements Sanitizer {
@Override
public String toString() {
- return getClass().getSimpleName() + " whitelist='" + whitelistName + "'";
+ return getClass().getSimpleName() + " safelist='" + safelistName + "'";
}
}
diff --git a/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-5.1.xsd b/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-5.1.xsd
index 7724ea3725..80bc7f4498 100644
--- a/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-5.1.xsd
+++ b/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-5.1.xsd
@@ -128,7 +128,7 @@
<sanitizer>
<sanitizer-class>org.apache.myfaces.tobago.sanitizer.JsoupSanitizer</sanitizer-class>
<properties>
- <entry key="whitelist">relaxed</entry>
+ <entry key="safelist">relaxed</entry>
</properties>
</sanitizer>
]]>
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml b/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
index 0f0c025dee..6c182ba4cb 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
+++ b/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
@@ -86,7 +86,7 @@
<!–
Use one of: basic, basicWithImages, relaxed, simpleText or none
–>
- <entry key="whitelist">relaxed</entry>
+ <entry key="safelist">relaxed</entry>
</properties>
</sanitizer>
-->
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/content/280-security/10-sanitize/Sanitize.xhtml b/tobago-example/tobago-example-demo/src/main/webapp/content/280-security/10-sanitize/Sanitize.xhtml
index 8838a4aeed..567c5bef0d 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/content/280-security/10-sanitize/Sanitize.xhtml
+++ b/tobago-example/tobago-example-demo/src/main/webapp/content/280-security/10-sanitize/Sanitize.xhtml
@@ -40,7 +40,7 @@
<sanitizer-class>org.apache.myfaces.tobago.sanitizer.JsoupSanitizer</sanitizer-class>
<properties>
<!-- Use one of: basic, basicWithImages, relaxed, simpleText or none -->
- <entry key="whitelist">relaxed</entry>
+ <entry key="safelist">relaxed</entry>
</properties>
</sanitizer></demo-highlight>