Bootstrap Wysiwyg Editor and CommunityCommons XSSSanitize: class not found exception

2
We use the Bootstrap Wysiwyg Editor widget in our application. Because we use a rich text editor, the user can paste any HTML into the input element, including scripts. So I wanted to use the XSS sanitize routine in CommunityCommons to prevent any unwanted stuff to be stored in the database. Unfortunately, none of the predefined policies allow embedded images like the way the Bootstrap Wysiwyg Editor widget works. So I took the plunge and created my own policy file. That works now, but if any tag has a style attribute the sanitize fails with a class not found exception, see (partial) stack trace below. It seems that adding xml-apis-ext.jar from the Apache Batik distribution solves this. I recreated this in a test project by changing the 'anythinggoes' policy file so the img tags don't get removed. AntiSamy will also solve the issue that the PDF exporter expects XHTML where the rich text widget uses HTML. The sanitized data is valid XHTML so it can be used directly in PDF documents. Steps to be taken: Include the missing jar in the distribution Add a new policy value to the XSSPolicy enumeration for the Bootstrap Wysiwyg Editor widget Create the AntiSamy policy file that matches the functionality of the Bootstrap Wysiwyg Editor widget (And translate a few texts in CommunityCommons to get rid of these errors about missing Dutch texts with every update of CommunityCommons) I cannot do the distribution of course but I will be happy to help with all the other steps. The stack trace: java.lang.NoClassDefFoundError: org/w3c/css/sac/DocumentHandler at org.owasp.validator.html.scan.MagicSAXFilter.makeCssScanner(MagicSAXFilter.java:205) at org.owasp.validator.html.scan.MagicSAXFilter.startElement(MagicSAXFilter.java:294) at org.cyberneko.html.HTMLTagBalancer.callStartElement(HTMLTagBalancer.java:1141) at org.cyberneko.html.HTMLTagBalancer.startElement(HTMLTagBalancer.java:746) at org.cyberneko.html.HTMLScanner$ContentScanner.scanStartElement(HTMLScanner.java:2701) at org.cyberneko.html.HTMLScanner$ContentScanner.scan(HTMLScanner.java:2057) at org.cyberneko.html.HTMLScanner.scanDocument(HTMLScanner.java:917) at org.cyberneko.html.HTMLConfiguration.parse(HTMLConfiguration.java:499) at org.cyberneko.html.HTMLConfiguration.parse(HTMLConfiguration.java:452) at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transformIdentity(TransformerImpl.java:677) at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:746) at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:359) at org.owasp.validator.html.scan.AntiSamySAXScanner.scan(AntiSamySAXScanner.java:125) at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:101) at communitycommons.StringUtils.XSSSanitize(StringUtils.java:262) at communitycommons.StringUtils.XSSSanitize(StringUtils.java:245) at communitycommons.actions.XSSSanitize.executeAction(XSSSanitize.java:52) at communitycommons.actions.XSSSanitize.executeAction(XSSSanitize.java:36) at com.mendix.systemwideinterfaces.core.UserAction.execute(SourceFile:53)
asked
2 answers
1

Hi Marcel,

Both the Community Commons as the Bootstrap RTE are now available on GitHub!

You can report an issue there, or fork it and send a pull request.

GitHub Community Commons

GitHub Bootstrap-RTE

You can find more information about contributing here.

Regards,

Robert van 't Hof (App Store Team)

answered
0

This happens usually when there are too many userlibs in your project, since those might collide with the packages shipped by Mendix itself. If your project is not too big, clearing the userlib directory, and reimporting your modules from the appstore usually solves this issue.

In this specific case, removing xml-apis.jar probably will solve the issue. See also:

https://world.mendix.com/display/refguide5/Troubleshooting

answered