I've installed the AntiXssLibrary nuget package which also installed the HtmlSanitizationLibrary. I can include the AntiXssLibrary with
`using System.Web.Security.AntiXss;`
then use it in my code:
`AntiXssEncoder.HtmlEncode(value, true);`
I've tried doing the same with the HtmlSanitizationLibrary but Visual Studio 2019 won't recognize the similar using statement. How do I implement/use HtmlSanitizationLibrary?
The HtmlSanitizationLibrary is tucked away in a completely different namespace even though it is installed with the same library.
using Microsoft.Security.Application;
string html_fragment = "some unsafe html containing XSS";
string safe_html = Sanitizer.GetSafeHtmlFragment(html_fragment);
See https://documentation.help/Microsoft-AntiXSS/documentation.pdf, page 162 - 165.
Related
After the upgrade from .net core 2.2 to 3.1 (without changing codeffects related code or library versions) we have problems when loading the xml into the rule editor (in the backend), but only when running the application in a docker container (which is based on mcr.microsoft.com/dotnet/aspnet:3.1.11 image). When running exactly the same code from Visual Studio everything is fine. Like it is also if we revert to the .net core 2.2 version of the app.
The problem is on loading the existing rule xml into the rule editor:
editor.LoadRuleXml(ruleXml);
or this way
editor.Rule = CodeEffects.Rule.Models.RuleModel.Create(ruleXml, type);
The exception is:
CodeEffects.Rule.Common.InvalidRuleException: Invalid rule XML. Input string was not in a correct format. (#125) at CodeEffects.Rule.Formats.Ce.FillRule(List`1 list, XmlNode ruleXml, XmlDocument sourceXml, GetRuleDelegate ruleDelegate, Type sourceObject) at CodeEffects.Rule.Formats.Ce.LoadXml(XmlDocument rule, XmlDocument source, GetRuleDelegate ruleDelegate, Type sourceObject) at CodeEffects.Rule.Core.RuleLoader.LoadXml(XmlDocument rule, XmlDocument source, RuleFormatType format, GetRuleDelegate getRuleDelegate, Type sourceObject) at CodeEffects.Rule.Core.RuleLoader.LoadXml(String xmlRule, XmlDocument sourceXml, GetRuleDelegate ruleDelegate, Type sourceObject) at CodeEffects.Rule.Web.RuleEditor.LoadRuleXml(String ruleXml, GetRuleDelegate ruleDelegate) at CodeEffects.Rule.Web.RuleEditor.LoadRuleXml(String ruleXml)
Logging the xml that we pass to the load method shows that the xml is as it should be, so like it was stored in the db, and this same xml otherwise works fine, just not when the app is running in a docker based on .net core 3.1.
Unfortunatelly there is no inner exception that would point us closer to the source of the problem. And since it can be only reproduced when running in docker container, we are running out of ideas.
Our version of CodeEffects.Rule.Editor.Web.Core library is quite old, 5.0.7.6, but the same problem persists even if we upgrade to the latest 5.0.38.4.
Any idea what could be the problem?
I am using a JSON parser to extract the value and I am using the following jar
json-path-2.1.0, and I am getting the following error when I invoke the use case deployed as webservice on weblogic server
I wrote a small main program to extract the value from the json string and it works fine, but the server version of the use case is giving the issue. I am not sure if there are any other jars part of my ear can negatively impact this
SEVERE: defaultReader
java.lang.NoSuchFieldError: defaultReader
at com.jayway.jsonpath.spi.json.JsonSmartJsonProvider.<init>(JsonSmartJsonProvider.java:39)
at com.jayway.jsonpath.internal.DefaultsImpl.jsonProvider(DefaultsImpl.java:21)
at com.jayway.jsonpath.Configuration.defaultConfiguration(Configuration.java:174)
at com.jayway.jsonpath.internal.JsonContext.<init>(JsonContext.java:52)
at com.jayway.jsonpath.JsonPath.parse(JsonPath.java:596)
Stumbled about the same problem.
The reason why it does not work is not the JDK 8.
The reason why you encounter this issue, is the fact that weblogic 12.2.1.X is bundling some old version of json-smart.
On my machine this would be found here:
jar:file:/C:/dev/WLS_12_2_1_2_0/oracle_common/modules/net.minidev.json-smart.jar!/net/minidev/json/JSONValue.class
Now if you are using a library like json-path that depends on json-smart, then by default the container will load the required class using one of its built-in modules.
The blowup you have, seems to be that the JSONValue class that your json-path depends on seemed to have this defaultReder field.
Here is a snipet of the clode that is blowing up.
public JsonSmartJsonProvider() {
this(JSONParser.MODE_PERMISSIVE, JSONValue.defaultReader.DEFAULT_ORDERED);
}
That
JSONValue.defaultReader
Seems not to be valid on weblogs older system class loader class.
You can tell the container to use what you are packing by putting into your weblogic.xml deployment descriptor something like this:
<wls:prefer-application-packages>
<wls:package-name>net.minidev.json.*</wls:package-name>
</wls:prefer-application-packages>
I am having quite a bit of trouble getting weblogic to swallow the fine-grained instruction above.
I found myself to force weblogic to swallog all that goes into the web-inf folder instead doing:
<wls:container-descriptor>
<wls:prefer-web-inf-classes>true</wls:prefer-web-inf-classes>
</wls:container-descriptor>
I would have rather not be using a hammer like the web-inf-classes, but I am dancing with the weblogic system classloader when I do not go coarse grained...
Regards.
I too was facing this issue, It turned out some other library was using json-smart's older version, and it was getting precedence over json-path's json-smart dependency. Removing the other jar solved the issue. Or you can also downgrade your json-path's version to appropriate version such that it support json-smart's older version.
Looks like JsonParser jar is present in JVM 1.8 version and it seems to have more precedence over the JsonParser class available in Json-path.jar. Apparently the us case doesn't work in 12.2.1 version of the weblogic server but it works fine in 12.1.3
I had the same problem but I use Gradle so I had to add:
compile group: 'net.minidev', name: 'json-smart', version: '2.3' to my dependencies.
I found that my Sonar instance 5.1 or 5.1.1 (with latest sonar-runner 2.x) stopped showing part of the Unit test info (Unit test widget) on the project's dashboard.
The properties I had were (in Gradle's sonarRunner > sonarProperties section):
property "sonar.junit.reportsPath", "build/test-results/UT"
property "sonar.surefire.reportsPath", "build/test-results/UT"
To fix it, I had to include the following properties as well:
property "sonar.java.junit.reportsPath", "build/test-results/UT"
property "sonar.java.surefire.reportsPath", "build/test-results/UT"
Just FYI: All my Unit tests reports go under build/test-results/UT folder, all Integration Tests result files go unedr build/test-results/IT folder and etc.
I'm wondering if this is due to Gradle version that I'm using (2.3) or is it due to a later version of SonarQube (4.5+) as I have both SQ 5.1 and 5.1.1 instance.
I know SonarQube team started Multi language support since SonarQube version 4.12
Since SonarQube 4.2, it is possible to run an analysis on a multi-language project.
Now, it raises a question. For Getting the same Unit test info for Groovy based projects, do I need to use:
property "sonar.groovy.junit.reportsPath", "build/test-results/UT"
property "sonar.groovy.surefire.reportsPath", "build/test-results/UT"
something like that if my project has Groovy code instead of java?
Searching "**sonar.java.junit.reportPath"** with using double quotes shows No results found in Google and it forces me to try and see google results if I can run the search again without using " double quotes (for this property).
Doing the same in SonarQube site "search box" shows:
No results found for sonar.java.junit.reportPath. Please try one of the following suggestions:
Though in Gradle, inside
sonarRunner task {
.. inside ..
sonarProperties {
... section ... where I define various sonar props..
}
...
}
I can define both sonar.junit.reportPath, sonar.java.junit.reportPath and similarly, sonar.surefire.reporPath and sonar.java.surefire.reportPath and while running sonarRunner task in Gradle, it doesn't error out. Thus it makes me believe that the property variables are valid.
There are also issues with running sonarRunner or stand alone sonar-runner command for a mixed Java and Groovy based project (i.e. source code in Java but tests in Groovy). Setting sonar.language=java,grvy didn't help. I posted this question on stackoverflow but so far I have no perfect result/answer on how to get a full fledged sonar dashboard up and running for a Groovy projects like I get for a Java project.
Groovy project - Sonar - Publish project and Unit + Integration Test code coverage data
PS: I have tried various values for setting sonar.. variables (as far a sonar source, tests, etc, etc properties are concerned, which they have mentioned on their site's docs section)
The only valid property to use as of now is sonar.junit.reportsPath which will tell the java sonarqube plugin where to import your result of unit tests.
For groovy, this is work in progress, see : http://jira.sonarsource.com/browse/SONARGROOV-2
All the other properties you mentioned do not exist and are not taken into account.
Environment Details
Mac OS X 10.9
Oracle JDK 1.7.0_55 64-bit
jython-standalone-2.5.3.jar
junit-4.11
What I have done so far
I have added the junit jar to /Library/Java/Extensions.
I invoked Jython as follows java -jar jython-standalone-2.5.3.jar
In the Jython interpreter, I imported the following import org.junit.Assert, and this import was successful.
Problem
When I tried to use assertTrue, I got a NameError in the interpreter. Why is this so?
I understand that assertTrue is a static method. Not sure what implication this has when I try to use it in Jython.
Additional Context
I am using XMLUnit in Jython. Was able to successfully import the Diff class from org.custommonkey.xmlunit in Jython. Also able to use the methods in this class, and call them on a Diff object. The result of this method call is what I am trying to pass to assertTrue, when it throws the error.
from org.custommonkey.xmlunit import Diff
import org.junit.Assert
xml1 = ...some XML string...
xml2 = ...some XML string...
myDiff = Diff(xml1, xml2)
assertTrue(myDiff.similar())
Hope this additional information is useful in identifying a solution to this problem.
Latest Status
I narrowed it down to setting this property python.security.respectJavaAccessibility = false, since the Assert() constructor is protected.
Still trying to get it to work. Any help is greatly appreciated.
Figured it out.
In addition to junit.jar file, the hamcrest-core.jar file also needed to be copied to /Library/Java/Extensions.
Then I got rid of the jython.jar file, and instead installed it using the jython installer.
After the installation was completed, I updated the registry file in the installation folder, specifically setting this property python.security.respectJavaAccessibility = false.
Now I am able to see the assertTrue method, and no longer getting a NameError.
1. Compiled Assembly from JSC
I've compiled what is intended to be client-side JavaScript using the JScript compiler (jsc.exe) on the server side in an attempt to make something that can be tested from a unit testing project, and maybe even something that can be debugged on the server side.
The compiled file contains only functions as follows (just for example) and it compiles fine into BitField.exe. Notice, no wrapper class or package in the source code.
------ BEGIN FILE (BitField.js) -------
function BitField(){
this.values = [];
}
// more functions ...
------- END FILE -------
jsc /fast- /out:BitField.exe Bitfield.js
Results in a BitField.exe assembly.
Success! Well, kind of ....
2. Testing Assembly / Access Point?
Secondly I've created a test project (in C#) and referenced in the BitField.exe assembly successfully. (The type of project is irrelevant but I'm providing more description to paint a full picture.)
The problem seems to be: I cannot find the namespace or a point at which I can access the BitField functions inside the BitField.exe assembly from my C# test project. The assembly doesn't seem to be a "normal".
In other words I need in C#
using ???WHAT???
Note: I don't want to use JScript "extensions", meaning keywords that won't run client-side (in a web browser), for example, class, package etc because I want the code to be clean as possible for copy & paste back into client side script environment (Regardless said "clean" code compiles fine by jsc.exe without use of those extensions). When I try to wrap the functions in package and class it starts producing compile errors so that's another reason not to use them - because they appear to make me alter my code.
Any suggestions as to how I can use the functions of the compiled JScript assembly (by having it referenced into another assembly) when there are no explicit containers in it?
Update / Proof
.NET Reflector view
After playing around with it for a while, and trying various combinations of command-line switches for jsc.exe, I'm pretty sure that what you're trying to do won't work as you'd wish it to. If you try to compile a js file that contains functions into a .Net library assembly, you get an error:
BitField.js(1,1) : error JS1234: Only type and package definitions are allowed inside a library
But, there is hope, yet! Here's what I would do...
I would keep your "clean" BitField.js file just as it is, and then create a batch file that wraps it in a JScript class and writes it out to a "dirty" js file. It's pretty clean if you think of it as part of the compilation of the code into the DLL. The code to wrap the BitField.js into BitFieldClass.js would look like this:
merge-into-class.js
var fso = new ActiveXObject("Scripting.FileSystemObject");
var ForReading = 1;
var inputFile = fso.OpenTextFile("BitField.js",ForReading, false);
var outputFile = fso.CreateTextFile("BitFieldClass.js", true);
outputFile.write("class BitFieldClass{\n");
while (!inputFile.AtEndOfStream)
{
var textLine = inputFile.ReadLine();
outputFile.write (textLine + "\n");
}
outputFile.write("}");
outputFile.close();
Then the batch file to wrap it and compile it is really simple:
compile-js.bat
cscript merge-into-class.js
jsc /t:library /out:BitFieldClass.dll bitFieldClass.js
Of course, if you wanted to do multiple files, you'd have to parameterize things a bit, but hopefully this is enough to demonstrate the idea.