ESAPI.override()
只用于覆盖配置。为了扩展其他类型的方法,在我的例子AntiSamy.scan
中,需要扩展调用结构中的每个类。
这是因为执行不灵活。例如,我们发现在HTMLValidationRule.java
:
private String invokeAntiSamy(String context, String input) throws ValidationException {
// CHECKME should this allow empty Strings? " " us IsBlank instead?
if (StringUtilities.isEmpty(input)) {
if (allowNull) {
return null;
}
throw new ValidationException(context + " is required", "AntiSamy validation error: context=" + context + ", input=" + input, context);
}
String canonical = super.getValid(context, input);
try {
AntiSamy as = new AntiSamy();
CleanResults test = as.scan(canonical, antiSamyPolicy);
List<String> errors = test.getErrorMessages();
if (!errors.isEmpty()) {
LOGGER.info(Logger.SECURITY_FAILURE, "Cleaned up invalid HTML input: " + errors);
}
return test.getCleanHTML().trim();
} catch (ScanException e) {
throw new ValidationException(context + ": Invalid HTML input", "Invalid HTML input: context=" + context + " error=" + e.getMessage(), e, context);
} catch (PolicyException e) {
throw new ValidationException(context + ": Invalid HTML input", "Invalid HTML input does not follow rules in antisamy-esapi.xml: context=" + context + " error=" + e.getMessage(), e, context);
}
}
由于AntiSamy as = new AntiSamy();
我们不能让它在一个自定义的实现使用。