The XSSParameterValidator
class and the XSSParameterPolicyHolder
interface make use of OWASP HTML Sanitizer libraries that are dependent on Google Guava libraries. These libraries are provided with the Oracle Commerce Platform in the owasp-java-html-sanitizer.jar
and guava.jar
files in the <ATG11dir>/DAS/lib/
directory.
Some of the classes in these libraries may also be distributed with your application server and included in its CLASSPATH
. To prevent conflicts and ensure that the XSSParameterValidator
and XSSParameterPolicyHolder
components use the correct versions of these libraries, these components are configured to use a custom class loader created by a component of class atg.nucleus.ServicesManifestClassLoaderService
:
$classloader=/atg/dynamo/servlet/security/XSSClassLoaderService
The XSSClassLoaderService
component is configured to load the owasp-java-html-sanitizer.jar
and guava.jar
files in <ATG11dir>/DAS/lib/
.