java-html-sanitizer icon indicating copy to clipboard operation
java-html-sanitizer copied to clipboard
verified publisher icon OWASP

On Java8Shim class, better to catch Throwable instead of Error

Open JuanMiguelBG-Ticarum opened this issue 1 year ago • 2 comments

We working with PrimeFaces v13.0.8, that has a dependency with owasp-java-html-sanitizer.

With the 0240325.1 version, it has two new dependencies:

  • Java 8 Shim
  • Java 10 Shim

We working with Weblogic 12.2 and JDK 8.

When the application starts and process the class org.owasp.shim.Java8Shim, loading the static initializer block (line 21), with code

_instance = Class.forName("org.owasp.shim.ForJava9AndLater").newInstance();

The classloader returns a java.lang.ClassNotFoundException intead a java.lang.Error (or subclasses).

java.lang.ClassNotFoundException: Class, org.owasp.shim.ForJava9AndLater, was compiled with an incompatible version of Java. Make sure that all the classes needed by the application have been compiled with a compatible java version.

The originally error it's a java.lang.UnsupportedClassVersionError but the servers filters it and returns the exception that isn't catched, resulting in an application deploy error.

<18-abr-2024 11H59' CEST> <Error> <Class Loaders> <BEA-2162500> <Class, org.owasp.shim.ForJava9AndLater, was compiled with an incompatible version of Java. Ensure that all the classes needed by the application have been compiled with a compatible java version. java.lang.UnsupportedClassVersionError: org/owasp/shim/ForJava9AndLater has been compiled by a more recent version of the Java Runtime (class file version 54.0), this version of the Java Runtime only recognizes class file versions up to 52.0
java.lang.UnsupportedClassVersionError: org/owasp/shim/ForJava9AndLater has been compiled by a more recent version of the Java Runtime (class file version 54.0), this version of the Java Runtime only recognizes class file versions up to 52.0
	at java.lang.ClassLoader.defineClass1(Native Method)
	at java.lang.ClassLoader.defineClass(ClassLoader.java:756)
	at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
	at weblogic.utils.classloaders.GenericClassLoader.defineClassInternal(GenericClassLoader.java:1113)
	at weblogic.utils.classloaders.GenericClassLoader.defineClass(GenericClassLoader.java:1046)
	Truncated.

JuanMiguelBG-Ticarum avatar Apr 18 '24 10:04 JuanMiguelBG-Ticarum

Same problem here.

jlp01eprinsa avatar Oct 04 '24 08:10 jlp01eprinsa

Same problem on project that must deploy to both Apache Tomcat 9 (no problem) and Weblogic 12c using JRE 8 (UnsupportedClassVersionError reported in logs. Eventual exception is ClassNotFoundException. Error is not caught in Java8Shim.java)

cobbrg avatar Apr 23 '25 21:04 cobbrg