I am trying to override an existing method in ESAPI OWASP library, by using ESAPI.override(). Somehow it does not work, do you know why?
Here my code:
public class AntiSamyDOMScannerExpansion extends AbstractAntiSamyScanner {
//...
public CleanResults scan(String html, String inputEncoding, String outputEncoding) throws ScanException {
ESAPI.override(new DefaultSecurityConfiguration());
//...
ESAPI.override() is used only to override the configuration. In order to expand other kind of methods, in my case AntiSamy.scan, it is needed to extend every class in the call structure.
This is because of a inflexible implementation. For instance we find in HTMLValidationRule.java:
private String invokeAntiSamy( String context, String input ) throws ValidationException {
// CHECKME should this allow empty Strings? " " us IsBlank instead?
if ( StringUtilities.isEmpty(input) ) {
if (allowNull) {
return null;
}
throw new ValidationException( context + " is required", "AntiSamy validation error: context=" + context + ", input=" + input, context );
}
String canonical = super.getValid( context, input );
try {
AntiSamy as = new AntiSamy();
CleanResults test = as.scan(canonical, antiSamyPolicy);
List<String> errors = test.getErrorMessages();
if ( !errors.isEmpty() ) {
LOGGER.info( Logger.SECURITY_FAILURE, "Cleaned up invalid HTML input: " + errors );
}
return test.getCleanHTML().trim();
} catch (ScanException e) {
throw new ValidationException( context + ": Invalid HTML input", "Invalid HTML input: context=" + context + " error=" + e.getMessage(), e, context );
} catch (PolicyException e) {
throw new ValidationException( context + ": Invalid HTML input", "Invalid HTML input does not follow rules in antisamy-esapi.xml: context=" + context + " error=" + e.getMessage(), e, context );
}
}
Due to AntiSamy as = new AntiSamy(); we can not make it usable in a custom implementation.