我想通過使用ESAPI.override()覆蓋ESAPI OWASP庫中的現有方法。不知何故,它不起作用,你知道爲什麼嗎?覆蓋ESAPI OWASP方法java
這裏我的代碼:
public class AntiSamyDOMScannerExpansion extends AbstractAntiSamyScanner {
//...
public CleanResults scan(String html, String inputEncoding, String outputEncoding) throws ScanException {
ESAPI.override(new DefaultSecurityConfiguration());
//...
ESAPI.override()只用於覆蓋配置。爲了擴展其他類型的方法,在我的例子AntiSamy.scan中,需要擴展調用結構中的每個類。
這是因爲執行不靈活。例如,我們發現在HTMLValidationRule.java:
private String invokeAntiSamy(String context, String input) throws ValidationException {
// CHECKME should this allow empty Strings? " " us IsBlank instead?
if (StringUtilities.isEmpty(input)) {
if (allowNull) {
return null;
}
throw new ValidationException(context + " is required", "AntiSamy validation error: context=" + context + ", input=" + input, context);
}
String canonical = super.getValid(context, input);
try {
AntiSamy as = new AntiSamy();
CleanResults test = as.scan(canonical, antiSamyPolicy);
List<String> errors = test.getErrorMessages();
if (!errors.isEmpty()) {
LOGGER.info(Logger.SECURITY_FAILURE, "Cleaned up invalid HTML input: " + errors);
}
return test.getCleanHTML().trim();
} catch (ScanException e) {
throw new ValidationException(context + ": Invalid HTML input", "Invalid HTML input: context=" + context + " error=" + e.getMessage(), e, context);
} catch (PolicyException e) {
throw new ValidationException(context + ": Invalid HTML input", "Invalid HTML input does not follow rules in antisamy-esapi.xml: context=" + context + " error=" + e.getMessage(), e, context);
}
}
由於AntiSamy as = new AntiSamy();我們不能讓它在一個自定義的實現使用。