What alternatives are there to Hibernate Validator's @SafeHtml to validate Strings?

Question

As stated in the JavaDocs, it will be removed in a future release. Is there any alternative library which works similarly via annotations?

Guillaume Smet · Accepted Answer · 2019-12-03T16:52:38.487

21

Let's first explain the reasons of the deprecation: we recently had a security issue (CVE) due to this very constraint. It was due to an error in our implementation but it made us realize that this was very fragile and potentially a can of worms security wise.

The alternative for now would be to implement it yourself based on our latest implementation and maintain it in your own application (with potentially your own tweaks).

We have a very nice article on our blog explaining how to do that easily: https://in.relation.to/2017/03/02/adding-custom-constraint-definitions-via-the-java-service-loader/ .

Basically, this change is us saying that we don't want to take the responsibility of something that is potentially fragile and will need a lot of attention, with tweaks potentially specific to the application platform it is deployed on.

Update: I have posted a full announcement here: https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/ .

edited Dec 03 '19 at 16:52

answered Nov 18 '19 at 11:45

Guillaume Smet

9,921
22
29

Is there a reason why the documentation doesn't provide any information on why it's going to be removed? – Joachim Sauer Nov 18 '19 at 11:50
Not really. TBH, I haven't had the time to properly announce these releases yet. There will be a blog post and migration notes soon. I'll work on that this week. – Guillaume Smet Nov 18 '19 at 12:12
Could you provide a link or some details on the security issue? – Dario Seidl Dec 03 '19 at 10:45
Never mind, I found it: https://hibernate.atlassian.net/browse/HV-1739 – Dario Seidl Dec 03 '19 at 10:47
1

@DarioSeidl the blog post is here: https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/ . I will update my message. – Guillaume Smet Dec 03 '19 at 16:52
@GuillaumeSmet Thank you, we will explore to create our own validators in the future – C C H Dec 06 '19 at 05:51
It is error prone, so let's make it a user problem, then the world will definitely be a safer place. It's a sad loss I think, but I understand the decision. – Jan-Willem Gmelig Meyling Aug 10 '22 at 14:12

Grigory Kislin · Answer 2 · 2021-12-10T21:46:21.133

My solution:

pom.xml

    <dependency>
        <groupId>org.jsoup</groupId>
        <artifactId>jsoup</artifactId>
        <version>1.14.2</version>
    </dependency>

NoHtml.java

@Documented
@Constraint(validatedBy = NoHtmlValidator.class)
@Target({METHOD, FIELD})
@Retention(RUNTIME)
public @interface NoHtml {
    String message() default "Unsafe html content";

    Class<?>[] groups() default {};

    Class<? extends Payload>[] payload() default {};
}

NoHtmlValidator.java

public class NoHtmlValidator implements ConstraintValidator<NoHtml, String> {
    @Override
    public boolean isValid(String value, ConstraintValidatorContext ctx) {
        return value == null || Jsoup.isValid(value, Safelist.none());
    }
}

Any bean:

@NoHtml
private String name;

See jsoup - Sanitize HTML and Sanitizing User Input, Part II (Validation with Spring REST)

UPDATE: change Jsoup.clean..equals.. to Jsoup.isValid

Keep in mind that this approach suffers from the same CVE that caused SafeHtml to be removed from Hibernate Validator in the first place. — Jan-Willem Gmelig Meyling, Aug 10 '22 at 16:21

score 2 · Answer 3 · answered Aug 26 '21 at 04:33

Here is an alternative for SafeHtml. You can use Jsoup and write custom annotation to achieve this.

First add Jsoup dependency in pom.xml

<dependency>
   <groupId>org.jsoup</groupId>
   <artifactId>jsoup</artifactId>
   <version>1.8.2</version>
</dependency>

In this approach I write this to validate in field level, You can validate even in class level. Write the annotation as below.

@Target(ElementType.FIELD)
@Retention(RetentionPolicy.RUNTIME)
@Constraint(validatedBy = HTMLValidator.class)
public @interface CustomSafeHtml {
   String message() default "Unsafe HTML tags included";
   Class<?>[] groups() default {};
   public abstract Class<? extends Payload>[] payload() default {};
}

Then write the validator class, your validation logic goes here.

public class HTMLValidator implements ConstraintValidator<CustomSafeHtml,String 
{
  @Override
  public void initialize(CustomSafeHtml constraintAnnotation) {
     ConstraintValidator.super.initialize(constraintAnnotation);
  }

  @Override
  public boolean isValid(String s, ConstraintValidatorContext constraintValidatorContext) {
    return Jsoup.isValid(s, Whitelist.basic());
  }
}

Finally add the annotation to your required fields. In my case I validate string fields.

@Data
public class VersionRequest extends BaseRequest {
  @CustomSafeHtml
  String version;
  EntityStatus status;
}

WhiteList is now depricated in favor of SafeList – Maurice Nov 03 '21 at 23:02 — Maurice, Nov 03 '21 at 23:02
No difference from 3-day early solution above – Grigory Kislin Aug 10 '22 at 19:09 — Grigory Kislin, Aug 10 '22 at 19:09

What alternatives are there to Hibernate Validator's @SafeHtml to validate Strings?

3 Answers3

Linked