0

I am trying to add OWASP HTMLSanitizer API in my ATG(9.3) application but I am getting below exception:

**** Error  Wed Jan 16 01:35:45 IST 2019    1547582745139   
/   Unable to resolve component /test/util/TestingUtil
java.lang.NoClassDefFoundError: org/owasp/html/HtmlPolicyBuilder

Implementation Changes done so far:

1) Added owasp-java-html-sanitizer.jar and guava-20.0.jar in my commerce/lib folder(place where all the jars are present)

2) Created CustomSanitizer component i.e. CustomSanitizer.properties file with content as :

$class=org.owasp.html.HtmlPolicyBuilder
$scope=global

3) Added the above created component to the existing component where we need to sanitize URL. Existing Component proeprties file(TestingUtil.properties)

$class=com.util.TestingUtil
htmlPolicyBuilder=/test/util/HTMLPolicyBuilder

4) TestingUtil.java :

private HtmlPolicyBuilder htmlPolicyBuilder;(setters and getters)

public String filterUrl(String url) {
        String filteredURL = url;
            PolicyFactory policy = htmlPolicyBuilder
                    .allowElements("a")
                    .allowUrlProtocols("https")
                    .allowAttributes("href").onElements("a")
                    .requireRelNofollowOnLinks()
                    .toFactory();
            filteredURL = policy.sanitize(url);
        }
        return filteredURL;

Please suggest.

Manan Kapoor
  • 675
  • 1
  • 11
  • 28
  • HtmlPolicyBuilder is not a valid ATG component so how is Nucleus going to load this class? – bated Jan 15 '19 at 21:03
  • actaully I have seen some where they are loading the apache HTTPClient in same manner. so i tried this way. Is there any other way to resolve this. – Manan Kapoor Jan 15 '19 at 21:06
  • I believe 9.4 has /atg/dynamo/servlet/pipeline/URLArgumentServlet in the DAFPipeline which you might want to extend instead of your approach. It might be that you add your own custom chain but this sounds like it should be in the DAF pipeline. – bated Jan 15 '19 at 21:17

1 Answers1

0

Firstly, just checking, because its not obvious from your Implementation Changes listed above; Have you included the new JARs in your module manifest? between step 1 and step 2. (looking at your error, I suspect this is the case)

Then, the Nucleus component you have defined (CustomSanitizer.properties), are you able to instantiate it alone? e.g what do you get if you navigate to the component through the Component Browser in dyn/admin? (it's global, it should be able to instantiate it at first access).

Then, if the component can be instantiated, then figure out why your TestigUtil component can not access it. Is the path to the component correct?

Vihung
  • 12,947
  • 16
  • 64
  • 90