search

OWASP / java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
Other
833 stars 210 forks source link

On Java8Shim class, better to catch Throwable instead of Error #338

Open JuanMiguelBG-Ticarum opened 2 months ago

JuanMiguelBG-Ticarum commented 2 months ago

We working with PrimeFaces v13.0.8, that has a dependency with owasp-java-html-sanitizer.

With the 0240325.1 version, it has two new dependencies:

We working with Weblogic 12.2 and JDK 8.

When the application starts and process the class org.owasp.shim.Java8Shim, loading the static initializer block (line 21), with code

_instance = Class.forName("org.owasp.shim.ForJava9AndLater").newInstance();

The classloader returns a java.lang.ClassNotFoundException intead a java.lang.Error (or subclasses).

java.lang.ClassNotFoundException: Class, org.owasp.shim.ForJava9AndLater, was compiled with an incompatible version of Java. Make sure that all the classes needed by the application have been compiled with a compatible java version.

The originally error it's a java.lang.UnsupportedClassVersionError but the servers filters it and returns the exception that isn't catched, resulting in an application deploy error.

<18-abr-2024 11H59' CEST> <Error> <Class Loaders> <BEA-2162500> <Class, org.owasp.shim.ForJava9AndLater, was compiled with an incompatible version of Java. Ensure that all the classes needed by the application have been compiled with a compatible java version. java.lang.UnsupportedClassVersionError: org/owasp/shim/ForJava9AndLater has been compiled by a more recent version of the Java Runtime (class file version 54.0), this version of the Java Runtime only recognizes class file versions up to 52.0
java.lang.UnsupportedClassVersionError: org/owasp/shim/ForJava9AndLater has been compiled by a more recent version of the Java Runtime (class file version 54.0), this version of the Java Runtime only recognizes class file versions up to 52.0
    at java.lang.ClassLoader.defineClass1(Native Method)
    at java.lang.ClassLoader.defineClass(ClassLoader.java:756)
    at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
    at weblogic.utils.classloaders.GenericClassLoader.defineClassInternal(GenericClassLoader.java:1113)
    at weblogic.utils.classloaders.GenericClassLoader.defineClass(GenericClassLoader.java:1046)
    Truncated.