As stated in the JavaDocs, it will be removed in a future release. Is there any alternative library which works similarly via annotations?
Validating constraints In the setUp() method, a Validator instance is retrieved from the ValidatorFactory . Validator instances are thread-safe and may be reused multiple times.
The Javax bean validation API provides the following most frequently used annotations. The Hibernate validator provides the following commonly used annotations for validation. In case of product or project development we must use both the annotations for bean validation.
Hibernate Validator allows to express and validate application constraints. The default metadata source are annotations, with the ability to override and extend through the use of XML. It is not tied to a specific application tier or programming model and is available for both server and client application programming.
Data validation is a common task that occurs in all layers of an application, including persistence. The Java™ Persistence API (JPA) 2.0 provides support for the Bean Validation API so that data validation can be done at run time.
Let's first explain the reasons of the deprecation: we recently had a security issue (CVE) due to this very constraint. It was due to an error in our implementation but it made us realize that this was very fragile and potentially a can of worms security wise.
The alternative for now would be to implement it yourself based on our latest implementation and maintain it in your own application (with potentially your own tweaks).
We have a very nice article on our blog explaining how to do that easily: https://in.relation.to/2017/03/02/adding-custom-constraint-definitions-via-the-java-service-loader/ .
Basically, this change is us saying that we don't want to take the responsibility of something that is potentially fragile and will need a lot of attention, with tweaks potentially specific to the application platform it is deployed on.
Update: I have posted a full announcement here: https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/ .
My solution:
pom.xml
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>1.14.2</version>
</dependency>
NoHtml.java
@Documented
@Constraint(validatedBy = NoHtmlValidator.class)
@Target({METHOD, FIELD})
@Retention(RUNTIME)
public @interface NoHtml {
String message() default "Unsafe html content";
Class<?>[] groups() default {};
Class<? extends Payload>[] payload() default {};
}
NoHtmlValidator.java
public class NoHtmlValidator implements ConstraintValidator<NoHtml, String> {
@Override
public boolean isValid(String value, ConstraintValidatorContext ctx) {
return value == null || Jsoup.isValid(value, Safelist.none());
}
}
Any bean:
@NoHtml
private String name;
See jsoup - Sanitize HTML and Sanitizing User Input, Part II (Validation with Spring REST)
UPDATE: change Jsoup.clean..equals..
to Jsoup.isValid
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With