Question

我正在尝试使用ESAPI.override()覆盖ESAPI OWASP库中的现有方法。不知怎的，它不起作用，你知道为什么吗？

这是我的代码：

public class AntiSamyDOMScannerExpansion extends AbstractAntiSamyScanner {

//...
public CleanResults scan(String html, String inputEncoding, String outputEncoding) throws ScanException {
        ESAPI.override(new DefaultSecurityConfiguration());
//...

Answer 1

ESAPI.override()仅用于覆盖配置。为了扩展其他类型的方法，在我的案例AntiSamy.scan中，需要扩展调用结构中的每个类。
这是因为实施不灵活。例如，我们在HTMLValidationRule.java中找到：

private String invokeAntiSamy( String context, String input ) throws ValidationException {
        // CHECKME should this allow empty Strings? "   " us IsBlank instead?
        if ( StringUtilities.isEmpty(input) ) {
            if (allowNull) {
                return null;
            }
            throw new ValidationException( context + " is required", "AntiSamy validation error: context=" + context + ", input=" + input, context );
        }

        String canonical = super.getValid( context, input );

        try {
            AntiSamy as = new AntiSamy();
            CleanResults test = as.scan(canonical, antiSamyPolicy);

            List<String> errors = test.getErrorMessages();
            if ( !errors.isEmpty() ) {
                LOGGER.info( Logger.SECURITY_FAILURE, "Cleaned up invalid HTML input: " + errors );
            }

            return test.getCleanHTML().trim();

        } catch (ScanException e) {
            throw new ValidationException( context + ": Invalid HTML input", "Invalid HTML input: context=" + context + " error=" + e.getMessage(), e, context );
        } catch (PolicyException e) {
            throw new ValidationException( context + ": Invalid HTML input", "Invalid HTML input does not follow rules in antisamy-esapi.xml: context=" + context + " error=" + e.getMessage(), e, context );
        }
    }

由于AntiSamy as = new AntiSamy();，我们无法在自定义实现中使用它。

覆盖ESAPI OWASP方法java

1 个答案: