You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by hn...@apache.org on 2022/05/25 08:08:39 UTC

[myfaces-tobago] branch tobago-2.x updated: build(deps): update jsoup

This is an automated email from the ASF dual-hosted git repository.

hnoeth pushed a commit to branch tobago-2.x
in repository https://gitbox.apache.org/repos/asf/myfaces-tobago.git


The following commit(s) were added to refs/heads/tobago-2.x by this push:
     new 7dac775bee build(deps): update jsoup
7dac775bee is described below

commit 7dac775beeefdcf7fc5baba31ee8564312f0c0a6
Author: Henning Noeth <hn...@apache.org>
AuthorDate: Wed May 18 16:34:16 2022 +0200

    build(deps): update jsoup
    
    * update jsoup
    * use "safelist" instead of "whitelist"
    
    Issue: TOBAGO-2134
---
 pom.xml                                            |  2 +-
 .../tobago/internal/config/TobagoConfigMerger.java |  2 +-
 .../tobago/internal/config/TobagoConfigParser.java |  4 +++
 .../myfaces/tobago/sanitizer/JsoupSanitizer.java   | 40 ++++++++++++----------
 .../src/main/webapp/WEB-INF/tobago-config.xml      |  2 +-
 5 files changed, 28 insertions(+), 22 deletions(-)

diff --git a/pom.xml b/pom.xml
index a1ec424b73..e93f9b2b38 100644
--- a/pom.xml
+++ b/pom.xml
@@ -289,7 +289,7 @@
         <!-- jsoup HTML parser library -->
         <groupId>org.jsoup</groupId>
         <artifactId>jsoup</artifactId>
-        <version>1.14.3</version>
+        <version>1.15.1</version>
       </dependency>
       <dependency>
         <groupId>net.sourceforge.maven-taglib</groupId>
diff --git a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigMerger.java b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigMerger.java
index f1adecac1f..cfd413e7e3 100644
--- a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigMerger.java
+++ b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigMerger.java
@@ -47,7 +47,7 @@ public class TobagoConfigMerger {
     // default sanitizer
     String sanitizerClass = JsoupSanitizer.class.getName();
     Properties sanitizerProperties = new Properties();
-    sanitizerProperties.setProperty("whitelist", "relaxed");
+    sanitizerProperties.setProperty("safelist", "relaxed");
 
     for (final TobagoConfigFragment fragment : list) {
 
diff --git a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java
index ea2d56b041..f3aa031ab4 100644
--- a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java
+++ b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java
@@ -393,6 +393,10 @@ public class TobagoConfigParser extends TobagoConfigEntityResolver {
       case SANITIZER:
         if (properties != null) {
           tobagoConfig.setSanitizerProperties(properties);
+          if (properties.get("whitelist") != null) {
+            LOG.warn("<sanitizer><properties><entry key=\"whitelist\"> is deprecated:"
+              + " use <sanitizer><properties><entry key=\"safelist\"> instead.");
+          }
         }
         properties = null;
         break;
diff --git a/tobago-core/src/main/java/org/apache/myfaces/tobago/sanitizer/JsoupSanitizer.java b/tobago-core/src/main/java/org/apache/myfaces/tobago/sanitizer/JsoupSanitizer.java
index 0112a233e6..cf8a07f5cc 100644
--- a/tobago-core/src/main/java/org/apache/myfaces/tobago/sanitizer/JsoupSanitizer.java
+++ b/tobago-core/src/main/java/org/apache/myfaces/tobago/sanitizer/JsoupSanitizer.java
@@ -20,7 +20,7 @@
 package org.apache.myfaces.tobago.sanitizer;
 
 import org.jsoup.Jsoup;
-import org.jsoup.safety.Whitelist;
+import org.jsoup.safety.Safelist;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -34,14 +34,14 @@ public class JsoupSanitizer implements Sanitizer {
 
   private static final Logger LOG = LoggerFactory.getLogger(JsoupSanitizer.class);
 
-  private Whitelist whitelist;
-  private String whitelistName;
+  private Safelist safelist;
+  private String safelistName;
 
   private boolean unmodifiable = false;
 
   public String sanitize(final String html) {
 
-    final String safe = Jsoup.clean(html, whitelist);
+    final String safe = Jsoup.clean(html, safelist);
     if (LOG.isDebugEnabled()) {
       LOG.debug("Sanitized: " + safe);
     }
@@ -57,20 +57,23 @@ public class JsoupSanitizer implements Sanitizer {
     while (enumeration.hasMoreElements()) {
       String key = enumeration.nextElement();
       if ("whitelist".equals(key)) {
-        whitelistName = configuration.getProperty(key);
-        if ("basic".equals(whitelistName)) {
-          whitelist = Whitelist.basic();
-        } else if ("basicWithImages".equals(whitelistName)) {
-          whitelist = Whitelist.basicWithImages();
-        } else if ("none".equals(whitelistName)) {
-          whitelist = Whitelist.none();
-        } else if ("relaxed".equals(whitelistName)) {
-          whitelist = Whitelist.relaxed();
-        } else if ("simpleText".equals(whitelistName)) {
-          whitelist = Whitelist.simpleText();
+        key = "safelist";
+      }
+      if ("safelist".equals(key)) {
+        safelistName = configuration.getProperty(key);
+        if ("basic".equals(safelistName)) {
+          safelist = Safelist.basic();
+        } else if ("basicWithImages".equals(safelistName)) {
+          safelist = Safelist.basicWithImages();
+        } else if ("none".equals(safelistName)) {
+          safelist = Safelist.none();
+        } else if ("relaxed".equals(safelistName)) {
+          safelist = Safelist.relaxed();
+        } else if ("simpleText".equals(safelistName)) {
+          safelist = Safelist.simpleText();
         } else {
           throw new RuntimeException(
-              "Unknown configuration value for 'whitelist' in tobago-config.xml found! value='" + whitelistName + "'");
+            "Unknown configuration value for 'safelist' in tobago-config.xml found! value='" + safelistName + "'");
         }
       } else {
         throw new RuntimeException("Unknown configuration key in tobago-config.xml found! key='" + key + "'");
@@ -78,7 +81,7 @@ public class JsoupSanitizer implements Sanitizer {
     }
 
     if (LOG.isInfoEnabled()) {
-      LOG.warn("Using whitelist '" + whitelistName + "' for sanitizing!");
+      LOG.warn("Using safelist '" + safelistName + "' for sanitizing!");
     }
   }
 
@@ -90,7 +93,6 @@ public class JsoupSanitizer implements Sanitizer {
 
   @Override
   public String toString() {
-    return getClass().getSimpleName() + " whitelist='" + whitelistName + "'";
+    return getClass().getSimpleName() + " safelist='" + safelistName + "'";
   }
-
 }
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml b/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
index e5aa0e84c7..9c810e2117 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
+++ b/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
@@ -55,7 +55,7 @@
       &lt;!&ndash;
        Use one of: basic, basicWithImages, relaxed, simpleText or none
        &ndash;&gt;
-      <entry key="whitelist">relaxed</entry>
+      <entry key="safelist">relaxed</entry>
     </properties>
   </sanitizer>
 -->