The XSSParameterValidator class and the XSSParameterPolicyHolder interface make use of OWASP HTML Sanitizer libraries that are dependent on Google Guava libraries. These libraries are provided with the Oracle Commerce Platform in the owasp-java-html-sanitizer.jar and guava.jar files in the <ATG11dir>/DAS/lib/ directory.

Some of the classes in these libraries may also be distributed with your application server and included in its CLASSPATH. To prevent conflicts and ensure that the XSSParameterValidator and XSSParameterPolicyHolder components use the correct versions of these libraries, these components are configured to use a custom class loader created by a component of class atg.nucleus.ServicesManifestClassLoaderService:

$classloader=/atg/dynamo/servlet/security/XSSClassLoaderService

The XSSClassLoaderService component is configured to load the owasp-java-html-sanitizer.jar and guava.jar files in <ATG11dir>/DAS/lib/.