Delete code referring to the previously deprecated Validator.isValidSafeHTML methods.

This is wrap up GHSA-r68h-jhhj-9jvm.

Author: kwwall

src/main/java/org/owasp/esapi/Validator.java

@@ -44,11 +44,10 @@
  * </p><p>
  * <b>CAUTION:</b> There are many methods that take multiple (or only!) {@code String}
  * arguments. Be careful that you do not mix up the order of these, because for
- * some methods such as {@code isValidSafeHTML} if you were to confuse the order of
- * {@code context} and {@code input} arguments, you would not be verifying what
- * you thought you were and it could have serious security consequences as a
- * result. When there are 2 these {@code String} parameters&mdash;{@code context} and
- * {@code input} arguments&mdash;the * {@code context} argument is always first.
+ * several methods that have {@code context} and {@code input} arguments, mixing up
+ * the order of those likely will result in serious security consequences.
+ * . When there are 2 these {@code String} parameters&mdash;{@code context} and
+ * {@code input} arguments&mdash;the {@code context} argument is <i>always</i> first.
  * See the individual method documentation for additional details.
  * </p>
  *
@@ -297,92 +296,6 @@ public interface Validator {
      */
     Date getValidDate(String context, String input, DateFormat format, boolean allowNull, ValidationErrorList errorList) throws IntrusionException;
 
-    /**
-     * Returns {@code true} if the parameter {@code input} is valid and <i>presumably</i> safe.
-     * <p>
-     * <b>WARNING:</b> Note that the only safe way to use this method is if you
-     * instead of using the passed-in parameter '{@code input}' (which should
-     * not be completely trusted as-is, regardless of whether this method returns
-     * {@code true}), you first sanitize (i.e., cleanse) the parameter '{@code input}'
-     * by first by calling one of the {@code getValidSafeHTML} methods on it. For
-     * additional details explaining the rationale for this, please see the referenced
-     * ESAPI Security Bulletin 12 in the referenced GitHub Security Advisory
-     * mentioned in the "See Also" section below.
-     *
-     * @param context
-     *         A descriptive tag name for the input that you are validating (e.g., user_comment).
-     *         This value is used by any logging or error handling that is done with respect to the value passed in.
-     * @param input
-     *         The actual user input data to validate. Note that the expectation
-     *         is that this input is allowed to contain "safe" HTML markup,
-     *         otherwise you should not be using this {@code Validator} method
-     *         at all.
-     * @param maxLength
-     *         The maximum {@code String} length allowed for {@code input}.
-     * @param allowNull
-     *         If {@code allowNull} is true then an input that is NULL or an empty string will be legal.
-     *         If {@code allowNull} is false then NULL or an empty String will throw a ValidationException.
-     *
-     * @return True if the {@code input} is <i>presumably</i> safe, otherwise false.
-     *
-     * @throws IntrusionException The parameter {@code input} likely indicates an attack.
-     *
-     * @deprecated Deprecated as of ESAPI 2.5.3.0. This method will be removed in 1 year
-     * after the ESAPI 2.5.3.0 release date (2023-11-24).
-     *
-     * @see <a href="https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm"
-     * target="_blank" rel="noreferrer noopener">GitHub Security Advisory: Validator.isValidSafeHTML
-     * is being deprecated and will be deleted in 1 year</a>
-     */ 
-    @Deprecated
-    boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull) throws IntrusionException;
-
-    /**
-     * Returns {@code true} if the parameter {@code input} is valid and <i>presumably</i> safe.
-     * Any exceptions are added to the supplied {@code errorList} parameter.
-     * <p>
-     * <p>
-     * Calls {@link #getValidSafeHTML(String, String, int, boolean)},
-     * and returns true if no exceptions are thrown.
-     * <p>
-     * <b>WARNING:</b> Note that the only safe way to use this method is if you
-     * instead of using the passed-in parameter '{@code input}' (which should
-     * not be completely trusted as-is, regardless of whether this method returns
-     * {@code true}), you first sanitize (i.e., cleanse) the parameter '{@code input}'
-     * by first by calling one of the {@code getValidSafeHTML} methods on it. For
-     * additional details explaining the rationale for this, please see the referenced
-     * ESAPI Security Bulletin 12 in the referenced GitHub Security Advisory
-     * mentioned in the "See Also" section below.
-     *
-     * @param context
-     *         A descriptive tag name for the input that you are validating (e.g., user_comment).
-     *         This value is used by any logging or error handling that is done with respect to the value passed in.
-     * @param input
-     *         The actual user input data to validate. Note that the expectation
-     *         is that this input is allowed to contain "safe" HTML markup,
-     *         otherwise you should not be using this {@code Validator} method
-     *         at all.
-     * @param maxLength
-     *         The maximum {@code String} length allowed for {@code input}.
-     * @param allowNull
-     *         If {@code allowNull} is true then an input that is NULL or an empty string will be legal.
-     *         If {@code allowNull} is false then NULL or an empty String will throw a ValidationException.
-     * @param errorList The error list to which any {@code ValidationException} messages are added.
-     *
-     * @return True if the {@code input} is <i>presumably</i> safe, otherwise false.
-     *
-     * @throws IntrusionException The parameter {@code input} likely indicates an attack.
-     *
-     * @deprecated Deprecated as of ESAPI 2.5.3.0. This method will be removed in 1 year
-     * after the ESAPI 2.5.3.0 release date (2023-11-24).
-     *
-     * @see <a href="https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm"
-     * target="_blank" rel="noreferrer noopener">GitHub Security Advisory: Validator.isValidSafeHTML
-     * is being deprecated and will be deleted in 1 year</a>
-     */
-    @Deprecated
-    boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errorList) throws IntrusionException;
-
     /**
      * Canonicalize and then sanitize the input so that it is "safe" for rendering in an HTML context (i.e., that
      * it does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else). Note that the resulting

src/main/java/org/owasp/esapi/reference/DefaultValidator.java

@@ -99,9 +99,6 @@ public class DefaultValidator implements org.owasp.esapi.Validator {
     private static Logger logger = ESAPI.log();
     private static volatile Validator instance = null;
     private static boolean alreadyLogged = false;
-    private static String deprecationWarning = "WARNING: You are using the Validator.isValidSafeHTML interface, " +
-        "which has been deprecated and should be avoided. See GitHub Security Advisory " +
-        "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm for details.";
 
     public static Validator getInstance() {
         if ( instance == null ) {
@@ -379,47 +376,6 @@ public Date getValidDate(String context, String input, DateFormat format, boolea
         return safeDate;
     }
 
-    /**
-     * {@inheritDoc}
-     * <p>
-     * This implementation does not throw {@link IntrusionException}.
-     */
-    @Override
-    public boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull) {
-        // Ensure a message about deprecation is logged once if this or the
-        // other isValidSafeHTML method is called.
-        if ( ! alreadyLogged ) {
-            logger.always(Logger.SECURITY_AUDIT, deprecationWarning);
-            alreadyLogged = true;
-        }
-        try {
-            getValidSafeHTML( context, input, maxLength, allowNull);
-            return true;
-        } catch( Exception e ) {
-            return false;
-        }
-    }
-
-    /**
-     * {@inheritDoc}
-     */
-    @Override
-    public boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errors) throws IntrusionException {
-        // Ensure a message about deprecation is logged once if this or the
-        // other isValidSafeHTML method is called.
-        if ( ! alreadyLogged ) {
-            logger.always(Logger.SECURITY_AUDIT, deprecationWarning);
-            alreadyLogged = true;
-        }
-        try {
-            getValidSafeHTML( context, input, maxLength, allowNull);
-            return true;
-        } catch( ValidationException e ) {
-            errors.addError(context, e);
-            return false;
-        }
-    }
-
     /**
      * {@inheritDoc}
      * <p>

src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleClasspathTest.java

@@ -47,16 +47,11 @@
  *
  * This class tests the case of a non-standard AntiSamy policy file along with
  * the case where the new ESAPI.property
- *      {@code Validator.HtmlValidationAction}
+ *      <b>Validator.HtmlValidationAction</b>
  * is set to "throw", which causes certain calls to
- * ESAPI.validator().getValidSafeHTML() or ESAPI.validator().isValidSafeHTML()
+ *      {@code ESAPI.validator().getValidSafeHTML()}
  * to throw a ValidationException rather than simply logging a warning and returning
  * the cleansed (sanitizied) output when certain unsafe input is encountered.
- *
- * It should be noted that several of the tests in this file are deprecated because
- * they use {@code Validator.isValidSafeHTML} which is deprecated. See the
- * deprecation warnings for those methods respective Javadoc for further
- * details.
  */
 public class HTMLValidationRuleClasspathTest {
     /** The intentionally non-compliant (to the AntiSamy XSD) AntiSamy policy file. We don't intend to
@@ -177,32 +172,4 @@ public void testGetValidSafeHTML() throws Exception {
         }
     }
 
-    /**
-     * @deprecated because Validator.isValidSafeHTML is deprecated.
-     * @see org.owasp.esapi.Validator#isValidSafeHTML(String,String,int,boolean)
-     * @see org.owasp.esapi.Validator#isValidSafeHTML(String,String,int,boolean,org.owasp.esapi.ValidationErrorList)
-     */
-    @Deprecated
-    @Test
-    public void testIsValidSafeHTML() {
-        System.out.println("isValidSafeHTML");
-        Validator instance = ESAPI.validator();
-        thrownEx = ExpectedException.none();    // Not expecting any exceptions here.
-
-        assertTrue(instance.isValidSafeHTML("test", "<b>Jeff</b>", 100, false));
-        assertTrue(instance.isValidSafeHTML("test", "<a href=\"http://www.aspectsecurity.com\">Aspect Security</a>", 100, false));
-        assertFalse(instance.isValidSafeHTML("test", "Test. <script>alert(document.cookie)</script>", 100, false));
-        assertFalse(instance.isValidSafeHTML("test", "Test. <div style={xss:expression(xss)}>", 100, false));
-        assertFalse(instance.isValidSafeHTML("test", "Test. <s%00cript>alert(document.cookie)</script>", 100, false));
-        assertFalse(instance.isValidSafeHTML("test", "Test. <s\tcript>alert(document.cookie)</script>", 100, false));
-        assertFalse(instance.isValidSafeHTML("test", "Test. <s\r\n\0cript>alert(document.cookie)</script>", 100, false));
-
-        ValidationErrorList errors = new ValidationErrorList();
-        assertFalse(instance.isValidSafeHTML("test1", "Test. <script>alert(document.cookie)</script>", 100, false, errors));
-        assertFalse(instance.isValidSafeHTML("test2", "Test. <div style={xss:expression(xss)}>", 100, false, errors));
-        assertFalse(instance.isValidSafeHTML("test3", "Test. <s%00cript>alert(document.cookie)</script>", 100, false, errors));
-        assertFalse(instance.isValidSafeHTML("test4", "Test. <s\tcript>alert(document.cookie)</script>", 100, false, errors));
-        assertFalse(instance.isValidSafeHTML("test5", "Test. <s\r\n\0cript>alert(document.cookie)</script>", 100, false, errors));
-        assertTrue( errors.size() == 5 );
-    }
 }

src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java

@@ -56,9 +56,9 @@
  * that were originally part of src/test/java/org/owasp/esapi/reference/ValidatorTest.java.
  *
  * This class tests the cases where the new ESAPI.property
- *      Validator.HtmlValidationAction
+ *      <b>Validator.HtmlValidationAction</b>
  * is set to "clean", which causes certain calls to
- * ESAPI.validator().getValidSafeHTML() or ESAPI.validator().isValidSafeHTML()
+ *      {@code ESAPI.validator().getValidSafeHTML()}
  * to simply log a warning and return the cleansed (sanitized) output rather
  * than throwing a ValidationException when certain unsafe input is
  * encountered.
@@ -275,53 +275,6 @@ public void testAntiSamy_CVE_2023_43643() {
     }
     ////////////////////////////////////////
 
-    /**
-     * @deprecated because Validator.isValidSafeHTML is deprecated.
-     * @see org.owasp.esapi.Validator#isValidSafeHTML(String,String,int,boolean)
-     * @see org.owasp.esapi.Validator#isValidSafeHTML(String,String,int,boolean,org.owasp.esapi.ValidationErrorList)
-     */
-    @Deprecated
-    @Test
-    public void testIsValidSafeHTML() {
-        System.out.println("testIsValidSafeHTML");
-        Validator instance = ESAPI.validator();
-
-        assertTrue(instance.isValidSafeHTML("test", "<b>Jeff</b>", 100, false));
-        assertTrue(instance.isValidSafeHTML("test", "<a href=\"http://www.aspectsecurity.com\">Aspect Security</a>", 100, false));
-        assertTrue(instance.isValidSafeHTML("test", "Test. <script>alert(document.cookie)</script>", 100, false));
-        assertTrue(instance.isValidSafeHTML("test", "Test. <div style={xss:expression(xss)}>", 100, false));
-        assertTrue(instance.isValidSafeHTML("test", "Test. <s%00cript>alert(document.cookie)</script>", 100, false));
-        assertTrue(instance.isValidSafeHTML("test", "Test. <s\tcript>alert(document.cookie)</script>", 100, false));
-        assertTrue(instance.isValidSafeHTML("test", "Test. <s\r\n\0cript>alert(document.cookie)</script>", 100, false));
-
-        ValidationErrorList errors = new ValidationErrorList();
-        assertTrue(instance.isValidSafeHTML("test1", "<b>Jeff</b>", 100, false, errors));
-        assertTrue(instance.isValidSafeHTML("test2", "<a href=\"http://www.aspectsecurity.com\">Aspect Security</a>", 100, false, errors));
-        assertTrue(instance.isValidSafeHTML("test3", "Test. <script>alert(document.cookie)</script>", 100, false, errors));
-        assertTrue(instance.isValidSafeHTML("test4", "Test. <div style={xss:expression(xss)}>", 100, false, errors));
-        assertTrue(instance.isValidSafeHTML("test5", "Test. <s%00cript>alert(document.cookie)</script>", 100, false, errors));
-        assertTrue(instance.isValidSafeHTML("test6", "Test. <s\tcript>alert(document.cookie)</script>", 100, false, errors));
-        assertTrue(instance.isValidSafeHTML("test7", "Test. <s\r\n\0cript>alert(document.cookie)</script>", 100, false, errors));
-        assertTrue(errors.size() == 0);
-
-        // Extracted from testIEConditionalComment().
-        String input = "<!--[if gte IE 4]>\r\n <SCRIPT>alert('XSS');</SCRIPT>\r\n<![endif]-->";
-        boolean isSafe = instance.isValidSafeHTML("test12", input, 100, false, errors);
-        assertTrue(instance.isValidSafeHTML("test12", input, 100, false, errors)); // Safe bc "" gets returned!!!
-
-        // Extracted from testNekoDOSWithAnHTMLComment()
-        errors = new ValidationErrorList();
-        input = "<!--><?a/";
-        assertTrue(instance.isValidSafeHTML("test11", input, 100, false, errors)); // Safe bc "" gets returned!!!
-        assertTrue(errors.size() == 0);
-
-        // Extracted from testESAPI_CVE_2022_24891() 
-        String expectedSafeText = "This is safe from XSS. Trust us!";
-        String badVoodoo = "<a href=\"javascript&#00058alert(1)>" + expectedSafeText + "</a>";
-        boolean result = instance.isValidSafeHTML("CVE-2021-35043", badVoodoo, 200, false);
-        assertTrue( result );
-    }
-
     // This test has been significantly changed because as on AntiSamy 1.7.4
     // (first used with ESAPI 2.5.3.0) has changed the results of
     // Validator.getValidSafeHTMLfor this output. Prior to AntiSamy 1.7.4, the
@@ -335,7 +288,7 @@ public void testIsValidSafeHTML() {
     //
     // Also, this test, which originally used Validator.isValidSafeHTML(), has been
     // changed to use Validator.getValidSafeHTML() instead because Validator.isValidSafeHTML()
-    // has been deprecated. See GitHub Security Advisory
+    // has been removed as of ESAPI 2.6.0.0. See GitHub Security Advisory
     // https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm
     // and the referenced ESAPI Security Bulletin mentioned therein.
     @Test
@@ -368,7 +321,7 @@ public void testAntiSamyRegressionCDATAWithJavascriptURL() throws Exception {
     //
     // Also, this test, which originally used Validator.isValidSafeHTML(), has been
     // changed to use Validator.getValidSafeHTML() instead because Validator.isValidSafeHTML()
-    // has been deprecated. See GitHub Security Advisory
+    // has been removed as of ESAPI 2.6.0.0. See GitHub Security Advisory
     // https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm
     // and the referenced ESAPI Security Bulletin mentioned therein.
     @Test
@@ -403,7 +356,7 @@ public void testScriptTagAfterStyleClosing() throws Exception {
     //
     // Also, this test, which originally used Validator.isValidSafeHTML(), has been
     // changed to use Validator.getValidSafeHTML() instead because Validator.isValidSafeHTML()
-    // has been deprecated. See GitHub Security Advisory
+    // has been removed as of ESAPI 2.6.0.0. See GitHub Security Advisory
     // https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm
     // and the referenced ESAPI Security Bulletin mentioned therein.
     @Test