Comments (10)
OK. I made it optional, and also added a few comments in the README on the new logging setup. I'd like @kwwall to review/test these changes w/ESAPI before I publish 1.6.1.
from antisamy.
@talios - The reason for this decision is that ESAPI, dating back to the earliest 2.x versions, delivered an AntiSamy policy file with an extraneous, never used '' node. And we assume that many ESAPI users have customized this and we do not wish to cause their policy files to fail, but still would like them to benefit from the XML schema checking.
However, not to long ago, when we phased out log4j 1.x as the default logger (because it had reached end-of-life), we made JUL the default ESAPI logger. (SLF4J was just new at the time and still having some of the bugs worked out.) So the problem is that if an application using ESAPI is using JUL rather than SLF4J, then when ESAPI invokes AntiSamy, AntiSamy ends up logging this:
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
so they get no indication of what is going on at all if their old, possibly customized AntiSamy policy file schema validation fails, because if they are using JUL for ESAPI, they probably are not using SLF4J in their application either.
I was actually in favor of marking it optional, for the very reasons that you say, but Dave and I discussed it and decided together it would be best to make it required and allow the developers using AntiSamy to exclude it. Almost all the projects I deal with in my day job already exclude libraries in the Maven pom, so I don't think there's a big knowledge gap there.
from antisamy.
Thanks for reporting this issue so quickly. I have reimplemented the logging in the new 1.6.1 branch to only use slf4j. There are no imports or uses of log4j at all. I do import slf4j-simple so that AntiSamy logging will work if an app hasn't configured logging at all. But the importing app should be able to switch out the logger to whatever they want. Can you review/test this new 1.6.1 branch and let me know if you agree that these changes address your concerns?
from antisamy.
@davewichers I've just pulled the branch and building locally and everything seems to build fine on my project.
I think it may be better listing the slf4j-simple
dependency with <optional>true</optional>
:
https://maven.apache.org/guides/introduction/introduction-to-optional-and-excludes-dependencies.html
Cheers
from antisamy.
@talios @kwwall - After testing AntiSamy with apps that don't have SLF4J enabled at all, we decided that we needed to include slf4j-simple (i.e., not make it optional). AntiSamy uses can still configure their slf4j setup to use a different logging library, but we need to include something that works, in case they don't have anything at all.
from antisamy.
Given that SLF4j uses class path scanning as its means of configuring bindings; generally you only include the binding you want your application to use. It's usually recommended for libraries to not depend on concrete bindings, merely the API package for this reason.
This will probably lead to forcing users who want logging to require adding <exclusion>
elements against the dependency. An optional dependency should still work as expected, but should not cause Maven to fail to build if missing.
I'm not 100% on that, or the behaviour when you have multiple bindings on the classpath - I suspect that might end up using which ever it encounters first - which could be problematic; for me this isn't such as an issue as we configure global exclusions everywhere already.
I note the subsequent commits on the branch still leave src/main/resources/log4j2.xml
included - which should probably be removed.
from antisamy.
Apologies if I came off as cold above - had a bad day at work :(
from antisamy.
@talios - Agree, both src/main/resources/log4j2.xml
and src/test/resources/log4j2.xml
should probably be removed. @davewichers - if you haven't pushed 1.6.1 to Maven Central yet, you may want to do this.
from antisamy.
@kwwall Cheers for the back-info - sounds all good then.
from antisamy.
This has been addressed in the 1.6.1 release that just went out. I removed the two log4j2.xml files as well.
from antisamy.
Related Issues (20)
- AntiSamy converting single quotes to double quotes for font-family which is causing issue while rendering HOT 6
- AntiSamy not detecting XSS for anchor tag HOT 10
- CssHandler test case failure on Windows HOT 5
- Incorrect 'Contributing' link on OWASP wiki page HOT 1
- Javadoc cleanup
- 2 enhancement HOT 2
- 1 enhancement with api HOT 2
- CVE-2022-24891 HOT 7
- Removing Xerces dependency? HOT 3
- Does Antisamy has support for custom css properties " --* " and css-function " var() " and how to define it in the antisamy policy file? HOT 10
- Enabled noopenerAndNoreferrerAnchors policy drops nofollow HOT 7
- Covering all cases of "rel" attribute in "anchor" tag is quite verbose HOT 3
- Investigate replacing Batik CSS HOT 1
- Dealing with Security Vulnerabilities CVE-2023-26119 HOT 13
- AntiSamy encodes unknown tags despite not being configured that way HOT 6
- GraalVM Support HOT 4
- noopenerAndNoreferrerAnchors policy directive seems disabled by default in 1.7.2 version HOT 2
- How to find if vulnerable script is present in the input HOT 8
- Is there a way to not encode certain HTML Entities? HOT 6
- antisamy:1.7.3 contains batik-css:1.16 that has CVE-2022-44729 vulnerability HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from antisamy.