jsoup icon indicating copy to clipboard operation
jsoup copied to clipboard
verified publisher icon jhy

Add @SafeHtml Jakarta Validator

Open candrews opened this issue 5 years ago • 2 comments

Hibernate Validator currently has @SafeHtml, a Jakara Validator, to do validation of a string to ensure it's valid HTML using jsoup.

However, Hibernate Validator has decided to deprecate this validator as that project doesn't feel that it's the right place for it. Please see https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/ for more information.

I think jsoup is the perfect home @SafeHtml.

Copying @SafeHtml into jsoup would be done by:

  • adding an Maven optional dependency on jakarta.validation:jakarta.validation-api
  • copying a few classes for Hibernate Validator
  • and adding a META-INF service loader file so the validator is loaded (see https://in.relation.to/2017/03/02/adding-custom-constraint-definitions-via-the-java-service-loader/ for details)

candrews avatar May 20 '20 01:05 candrews

Jsoup already has an API for validating and sanitizing html, that is configurable by a Whitelist: https://jsoup.org/apidocs/org/jsoup/Jsoup.html#clean(java.lang.String,org.jsoup.safety.Whitelist)

Taking on an API that has been flagged in a CVE is a significant commitment. If, on the other hand, that vulnerability stems from the underlying jsoup code, then bringing in the Hibernate code would not add any additional features to jsoup. Either way, I don't see a compelling reason to add that code.

michelpetrovic avatar May 20 '20 16:05 michelpetrovic

Based on a reading of https://in.relation.to/2019/11/20/hibernate-validator-610-6018-released/, I believe CVE-2019-10219's root cause was a misunderstanding of jsoup. If the validator is maintained in jsoup, that concern is eliminated.

candrews avatar Sep 18 '20 18:09 candrews