9898public class DefaultValidator implements org .owasp .esapi .Validator {
9999 private static Logger logger = ESAPI .log ();
100100 private static volatile Validator instance = null ;
101+ private static boolean alreadyLogged = false ;
102+ private static String deprecationWarning = "WARNING: You are using the Validator.isValidSafeHTML interface, " +
103+ "which has been deprecated and should be avoided. See GitHub Security Advisory " +
104+ "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm for details." ;
101105
102106 public static Validator getInstance () {
103107 if ( instance == null ) {
@@ -382,6 +386,12 @@ public Date getValidDate(String context, String input, DateFormat format, boolea
382386 */
383387 @ Override
384388 public boolean isValidSafeHTML (String context , String input , int maxLength , boolean allowNull ) {
389+ // Ensure a message about deprecation is logged once if this or the
390+ // other isValidSafeHTML method is called.
391+ if ( ! alreadyLogged ) {
392+ logger .always (Logger .SECURITY_AUDIT , deprecationWarning );
393+ alreadyLogged = true ;
394+ }
385395 try {
386396 getValidSafeHTML ( context , input , maxLength , allowNull );
387397 return true ;
@@ -395,6 +405,12 @@ public boolean isValidSafeHTML(String context, String input, int maxLength, bool
395405 */
396406 @ Override
397407 public boolean isValidSafeHTML (String context , String input , int maxLength , boolean allowNull , ValidationErrorList errors ) throws IntrusionException {
408+ // Ensure a message about deprecation is logged once if this or the
409+ // other isValidSafeHTML method is called.
410+ if ( ! alreadyLogged ) {
411+ logger .always (Logger .SECURITY_AUDIT , deprecationWarning );
412+ alreadyLogged = true ;
413+ }
398414 try {
399415 getValidSafeHTML ( context , input , maxLength , allowNull );
400416 return true ;
0 commit comments