0

我正在尝试使用ESAPI.override()覆盖 ESAPI OWASP 库中的现有方法。不知怎的,它不起作用,你知道为什么吗?

这是我的代码:

public class AntiSamyDOMScannerExpansion extends AbstractAntiSamyScanner {

//...
public CleanResults scan(String html, String inputEncoding, String outputEncoding) throws ScanException {
        ESAPI.override(new DefaultSecurityConfiguration());
//...
4

1 回答 1

0

ESAPI.override()仅用于覆盖配置。为了扩展其他类型的方法,在我的例子AntiSamy.scan中,需要扩展调用结构中的每个类。
这是因为执行不灵活。例如我们发现HTMLValidationRule.java

private String invokeAntiSamy( String context, String input ) throws ValidationException {
        // CHECKME should this allow empty Strings? "   " us IsBlank instead?
        if ( StringUtilities.isEmpty(input) ) {
            if (allowNull) {
                return null;
            }
            throw new ValidationException( context + " is required", "AntiSamy validation error: context=" + context + ", input=" + input, context );
        }

        String canonical = super.getValid( context, input );

        try {
            AntiSamy as = new AntiSamy();
            CleanResults test = as.scan(canonical, antiSamyPolicy);

            List<String> errors = test.getErrorMessages();
            if ( !errors.isEmpty() ) {
                LOGGER.info( Logger.SECURITY_FAILURE, "Cleaned up invalid HTML input: " + errors );
            }

            return test.getCleanHTML().trim();

        } catch (ScanException e) {
            throw new ValidationException( context + ": Invalid HTML input", "Invalid HTML input: context=" + context + " error=" + e.getMessage(), e, context );
        } catch (PolicyException e) {
            throw new ValidationException( context + ": Invalid HTML input", "Invalid HTML input does not follow rules in antisamy-esapi.xml: context=" + context + " error=" + e.getMessage(), e, context );
        }
    }

由于AntiSamy as = new AntiSamy();我们无法使其在自定义实现中可用。

于 2012-09-27T12:13:38.127 回答