PF 8.0RC3 TextEditor requires HTML Sanitizer

UI Components for JSF
Post Reply
xav
Posts: 5
Joined: 12 Feb 2020, 21:29

13 Feb 2020, 15:20

With PF 8.0 RC3 on Payara 5.194 (Mojarra 2.3.9 / JSF 2.3) :

xhtml :

Code: Select all

<p:textEditor></p:textEditor>
Error :

Code: Select all

javax.faces.FacesException: TextEditor component is marked secure='true' but the HTML Sanitizer was not found on the classpath. Either add the HTML sanitizer to the classpath per the documentation or mark secure='false' if you would like to use the component without the sanitizer.
        at org.primefaces.component.texteditor.TextEditorRenderer.checkSecurity(TextEditorRenderer.java:181)
        at org.primefaces.component.texteditor.TextEditorRenderer.encodeEnd(TextEditorRenderer.java:87)
        at javax.faces.component.UIComponentBase.encodeEnd(UIComponentBase.java:595)
        at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1654)
        at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1650)
        at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1650)
I have no problem with PF 7.0

Is this a bug ?
Or Am I missing an "HTML Sanitizer" (what exactly should I add to the classpath) ?
Or should I mark the component secure='false' (how) ?

Regards
--
Xavier

Melloware
Posts: 1950
Joined: 22 Apr 2013, 15:48

13 Feb 2020, 16:45

In Migration Guide: https://github.com/primefaces/primeface ... e#70-to-80
TextEditor for security reasons (https://github.com/primefaces/primefaces/issues/5163) now requires the OWASP Sanitizer library by default but you can choose to opt-out of using the library by setting the attribute secure="false".
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 8.0.3 / PF Extensions 8.0.4

Melloware
Posts: 1950
Joined: 22 Apr 2013, 15:48

13 Feb 2020, 21:02

Sorry just re-read your question just set secure="false" on the textEditor like..

Code: Select all

<p:textEditor secure="false" ....
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 8.0.3 / PF Extensions 8.0.4

kukeltje
Expert Member
Posts: 9605
Joined: 17 Jun 2010, 13:34
Location: Netherlands

13 Feb 2020, 23:56

Like mentioned in the 'error'....

xav
Posts: 5
Joined: 12 Feb 2020, 21:29

14 Feb 2020, 14:09

I missed the migration guide...

Adding secure="false" to the component solves the issue. For some reason, I though this "secure" attribute was a more global server side thing, I didn't realized it was a component attribute, sorry...

Thank you Melloware !

Melloware
Posts: 1950
Joined: 22 Apr 2013, 15:48

14 Feb 2020, 14:11

No prob! Yeah we decided to make this component secure by default as its a safer option and then let users opt-out of security with the flag.
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 8.0.3 / PF Extensions 8.0.4

Post Reply

Return to “PrimeFaces”

  • Information
  • Who is online

    Users browsing this forum: No registered users and 5 guests