Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What alternatives are there to Hibernate Validator's @SafeHtml to validate Strings?

As stated in the JavaDocs, it will be removed in a future release. Is there any alternative library which works similarly via annotations?

like image 618
C C H Avatar asked Nov 18 '19 11:11

C C H


People also ask

Is Hibernate Validator thread safe?

Validating constraints In the setUp() method, a Validator instance is retrieved from the ValidatorFactory . Validator instances are thread-safe and may be reused multiple times.

What is the difference between javax validation and Hibernate Validator?

The Javax bean validation API provides the following most frequently used annotations. The Hibernate validator provides the following commonly used annotations for validation. In case of product or project development we must use both the annotations for bean validation.

What is the use of Hibernate Validator dependency?

Hibernate Validator allows to express and validate application constraints. The default metadata source are annotations, with the ability to override and extend through the use of XML. It is not tied to a specific application tier or programming model and is available for both server and client application programming.

What is JPA Validator?

Data validation is a common task that occurs in all layers of an application, including persistence. The Java™ Persistence API (JPA) 2.0 provides support for the Bean Validation API so that data validation can be done at run time.


2 Answers

Let's first explain the reasons of the deprecation: we recently had a security issue (CVE) due to this very constraint. It was due to an error in our implementation but it made us realize that this was very fragile and potentially a can of worms security wise.

The alternative for now would be to implement it yourself based on our latest implementation and maintain it in your own application (with potentially your own tweaks).

We have a very nice article on our blog explaining how to do that easily: https://in.relation.to/2017/03/02/adding-custom-constraint-definitions-via-the-java-service-loader/ .

Basically, this change is us saying that we don't want to take the responsibility of something that is potentially fragile and will need a lot of attention, with tweaks potentially specific to the application platform it is deployed on.

Update: I have posted a full announcement here: https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/ .

like image 91
Guillaume Smet Avatar answered Sep 18 '22 09:09

Guillaume Smet


My solution:

pom.xml

    <dependency>
        <groupId>org.jsoup</groupId>
        <artifactId>jsoup</artifactId>
        <version>1.14.2</version>
    </dependency>

NoHtml.java

@Documented
@Constraint(validatedBy = NoHtmlValidator.class)
@Target({METHOD, FIELD})
@Retention(RUNTIME)
public @interface NoHtml {
    String message() default "Unsafe html content";

    Class<?>[] groups() default {};

    Class<? extends Payload>[] payload() default {};
}

NoHtmlValidator.java

public class NoHtmlValidator implements ConstraintValidator<NoHtml, String> {
    @Override
    public boolean isValid(String value, ConstraintValidatorContext ctx) {
        return value == null || Jsoup.isValid(value, Safelist.none());
    }
}

Any bean:

@NoHtml
private String name;

See jsoup - Sanitize HTML and Sanitizing User Input, Part II (Validation with Spring REST)

UPDATE: change Jsoup.clean..equals.. to Jsoup.isValid

like image 45
Grigory Kislin Avatar answered Sep 20 '22 09:09

Grigory Kislin