search

OWASP / java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
Other
833 stars 210 forks source link

ClassNotFoundException: org.owasp.shim.Java8Shim after update to 20240325.1 #329

Open veita opened 3 months ago

veita commented 3 months ago

After update to 20240325.1 there occur exceptions ClassNotFoundException: org.owasp.shim.Java8Shim.

I could not find documentation about which additional libraries have to be included on which Java platform such that things work properly. It seems that both java8-shim and java10-shim libraries are needed with Java 21, which seems odd.

Java version: OpenJDK Runtime Environment Temurin-21.0.2+13

rombert commented 3 months ago

You should add both libraries to your app, the right one will be selected at runtime based on the version of Java you're using.

randomalgorithm01 commented 2 months ago

@rombert @mikesamuel

Can you kindly explain the use of this dependencies 8shim and 10shim. I originally thought the library has code that will compile in 11+ and this dependency act as adapter for older jdk. But from above it seems to be a problem in 21 jdk too.

I tried new html sanitizer version as a dependency in a large project without classnotfound exceptions (open jdk 11)

Can you kindly explain need of this jar and when to add as dependency

randomalgorithm01 commented 2 months ago

@rombert a reply would be very helpful here.

mebigfatguy commented 2 months ago

Would be nice if these classes were loaded dynamically rather than statically. Why would i need to supply Java8-shim if i am not running on java8?

jlczuk commented 3 weeks ago

This issue has been open for some time now. I am hitting this as well. All I did was update my version to 2024-325.1.

It wasn't clear to me what the suggested solution was until I looked at the linked PR. If we are required to add new dependencies, it really should be pointed out in the release and in the README.

Apparently we should be adding these two dependencies, which I would prefer if the sanitizer JAR simply included the classes in itself.

I added the following to my gradle dependencies. Just one more thing to keep track of I suppose.

'com.googlecode.owasp-java-html-sanitizer:java8-shim:20240325.1',
'com.googlecode.owasp-java-html-sanitizer:java11-shim:20240325.1'

Also not that this release is a breaking change. All one needs to do is update one's build to the new release and the build will fail. Thank you for identifying in the release notes that Guava is no longer a dependency.