You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by ah...@apache.org on 2022/06/23 08:28:09 UTC
[isis] branch master updated: ISIS-3077: use Jsoup to sanitize untrusted html
This is an automated email from the ASF dual-hosted git repository.
ahuber pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/isis.git
The following commit(s) were added to refs/heads/master by this push:
new 06f9aff530 ISIS-3077: use Jsoup to sanitize untrusted html
06f9aff530 is described below
commit 06f9aff530992d386f31dc156727633a4a42d390
Author: Andi Huber <ah...@apache.org>
AuthorDate: Thu Jun 23 10:28:01 2022 +0200
ISIS-3077: use Jsoup to sanitize untrusted html
---
.../java/org/apache/isis/applib/value/Markup.java | 7 +------
bom/pom.xml | 1 +
commons/pom.xml | 5 +++++
.../isis/commons/internal/hardening/_Hardening.java | 20 +++++++-------------
.../valuesemantics/MarkupValueSemantics.java | 3 ++-
core/pom.xml | 6 ++++++
tooling/pom.xml | 2 --
valuetypes/markdown/pom.xml | 7 -------
8 files changed, 22 insertions(+), 29 deletions(-)
diff --git a/api/applib/src/main/java/org/apache/isis/applib/value/Markup.java b/api/applib/src/main/java/org/apache/isis/applib/value/Markup.java
index fcf9495bca..c47139f5a5 100644
--- a/api/applib/src/main/java/org/apache/isis/applib/value/Markup.java
+++ b/api/applib/src/main/java/org/apache/isis/applib/value/Markup.java
@@ -31,7 +31,6 @@ import org.apache.isis.applib.IsisModuleApplib;
import org.apache.isis.applib.annotation.Value;
import org.apache.isis.commons.internal.base._Strings;
import org.apache.isis.commons.internal.base._Text;
-import org.apache.isis.commons.internal.hardening._Hardening;
import lombok.EqualsAndHashCode;
@@ -59,7 +58,7 @@ public final class Markup implements Serializable {
}
public Markup(final String html) {
- this.html = validate(html!=null ? html : "");
+ this.html = html!=null ? html : "";
}
public String asHtml() {
@@ -79,10 +78,6 @@ public final class Markup implements Serializable {
255, "...");
}
- private String validate(final String html) {
- return _Hardening.htmlNoScript(html);
- }
-
public static final class JaxbToStringAdapter extends XmlAdapter<String, Markup> {
/**
diff --git a/bom/pom.xml b/bom/pom.xml
index 6ed77b520d..f213ef1dd4 100644
--- a/bom/pom.xml
+++ b/bom/pom.xml
@@ -404,6 +404,7 @@ under the License.
<jquery-ui.version>1.13.1</jquery-ui.version> <!-- org.webjars:jquery-ui -->
<jsr305.version>3.0.2</jsr305.version>
+ <jsoup.version>1.15.1</jsoup.version>
<junit-jupiter.version>5.8.2</junit-jupiter.version> <!-- overrides spring -->
<junit-platform.version>1.8.2</junit-platform.version>
diff --git a/commons/pom.xml b/commons/pom.xml
index 3973f6677e..b84ababfc2 100644
--- a/commons/pom.xml
+++ b/commons/pom.xml
@@ -73,6 +73,11 @@
<artifactId>jackson-module-jaxb-annotations</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.jsoup</groupId>
+ <artifactId>jsoup</artifactId>
+ </dependency>
+
<dependency>
<groupId>org.jdom</groupId>
<artifactId>jdom2</artifactId>
diff --git a/commons/src/main/java/org/apache/isis/commons/internal/hardening/_Hardening.java b/commons/src/main/java/org/apache/isis/commons/internal/hardening/_Hardening.java
index c59854e196..1dcc9b6c10 100644
--- a/commons/src/main/java/org/apache/isis/commons/internal/hardening/_Hardening.java
+++ b/commons/src/main/java/org/apache/isis/commons/internal/hardening/_Hardening.java
@@ -22,12 +22,12 @@ import java.net.MalformedURLException;
import java.net.URL;
import java.util.Optional;
+import org.jsoup.Jsoup;
+import org.jsoup.safety.Safelist;
import org.springframework.lang.Nullable;
import org.apache.isis.commons.internal.base._Strings;
-import lombok.val;
-
/**
* Various hardening utilities.
* <p>
@@ -57,19 +57,13 @@ public class _Hardening {
}
/**
- * @throws IllegalArgumentException - when scripts are encountered
- * @implNote unfortunately has potential for false positives; but shall do for now
+ * @see "https://jsoup.org/cookbook/cleaning-html/safelist-sanitizer"
*/
- public static String htmlNoScript(final @Nullable String html) {
- if(html==null) {
- return null;
- }
- val condensed = _Strings.condenseWhitespaces(html.toLowerCase(), "");
- if(condensed.contains("javascript:")
- || condensed.contains("<script")) {
- throw new IllegalArgumentException("Not parseable as html free of scripts content.");
+ public static String toSafeHtml(final @Nullable String untrustedHtml) {
+ if(_Strings.isEmpty(untrustedHtml)) {
+ return untrustedHtml;
}
- return html;
+ return Jsoup.clean(untrustedHtml, Safelist.basic());
}
}
diff --git a/core/metamodel/src/main/java/org/apache/isis/core/metamodel/valuesemantics/MarkupValueSemantics.java b/core/metamodel/src/main/java/org/apache/isis/core/metamodel/valuesemantics/MarkupValueSemantics.java
index 948c39270a..a3357b56e3 100644
--- a/core/metamodel/src/main/java/org/apache/isis/core/metamodel/valuesemantics/MarkupValueSemantics.java
+++ b/core/metamodel/src/main/java/org/apache/isis/core/metamodel/valuesemantics/MarkupValueSemantics.java
@@ -29,6 +29,7 @@ import org.apache.isis.applib.value.semantics.ValueDecomposition;
import org.apache.isis.applib.value.semantics.ValueSemanticsAbstract;
import org.apache.isis.applib.value.semantics.ValueSemanticsProvider;
import org.apache.isis.commons.collections.Can;
+import org.apache.isis.commons.internal.hardening._Hardening;
import org.apache.isis.schema.common.v2.ValueType;
@Component
@@ -83,7 +84,7 @@ implements
@Override
public Markup parseTextRepresentation(final ValueSemanticsProvider.Context context, final String text) {
return text!=null
- ? new Markup(text)
+ ? new Markup(_Hardening.toSafeHtml(text))
: null;
}
diff --git a/core/pom.xml b/core/pom.xml
index cdfdece452..09d277b337 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -983,6 +983,12 @@
<artifactId>shiro-web</artifactId>
<version>${shiro.version}</version>
</dependency>
+
+ <dependency>
+ <groupId>org.jsoup</groupId>
+ <artifactId>jsoup</artifactId>
+ <version>${jsoup.version}</version>
+ </dependency>
<dependency>
<groupId>com.vaadin</groupId>
diff --git a/tooling/pom.xml b/tooling/pom.xml
index 5b8bf9c6ed..e5e33c0cdc 100644
--- a/tooling/pom.xml
+++ b/tooling/pom.xml
@@ -39,12 +39,10 @@
<jar-plugin.automaticModuleName>org.apache.isis.tooling</jar-plugin.automaticModuleName>
<git-plugin.propertiesDir>org/apache/isis/tooling</git-plugin.propertiesDir>
-
<asciidoctorj.version>2.5.4</asciidoctorj.version>
<gradle-tooling.version>7.1.1</gradle-tooling.version>
<maven-model-builder.version>3.8.6</maven-model-builder.version>
<picocli.version>4.6.3</picocli.version>
- <jsoup.version>1.15.1</jsoup.version>
<structurizr.version>1.6.2</structurizr.version>
</properties>
diff --git a/valuetypes/markdown/pom.xml b/valuetypes/markdown/pom.xml
index 05d6dc5bea..879b140b7a 100644
--- a/valuetypes/markdown/pom.xml
+++ b/valuetypes/markdown/pom.xml
@@ -48,13 +48,6 @@
</property>
</activation>
<dependencyManagement>
- <dependencies>
- <dependency>
- <groupId>org.jsoup</groupId>
- <artifactId>jsoup</artifactId>
- <version>1.15.1</version>
- </dependency>
- </dependencies>
</dependencyManagement>
</profile>
</profiles>