tig*_*ger 8 html java security jlabel
如果以<html>开头,Swing JLabel会自动将任何文本解释为HTML内容.如果此HTML的内容是包含无效URL的图像,则会导致整个GUI挂起,因为应加载此图像的ImageFetche将由NPE退出.
要重现此问题,只需按如下方式创建JLabel
new JLabel("<html><img src='http:\\\\invalid\\url'>")
Run Code Online (Sandbox Code Playgroud)
我知道有一个客户端属性可以防止JLabel解释HTML.但是JLabel是许多Swing组件(如JTree,JTable等)的默认渲染器实现,这使得几乎任何允许用户输入的Swing应用程序都成为问题.因此,我没有实现大量的自定义渲染器,而是在寻找一种全局解决方案来禁用HTML解释.
如果您创建自己的外观和感觉,则有一种方法。
我不确定它的表现如何,但它有效。假设您将扩展“经典 Windows”L&F。您至少需要 2 个类,一个是 Look&Feel 本身,我们称之为 WindowsClassicLookAndFeelExt。您只需要覆盖方法 initClassDefaults。
package testSwing;
import javax.swing.UIDefaults;
import com.sun.java.swing.plaf.windows.WindowsClassicLookAndFeel;
public class WindowsClassicLookAndFeelExt extends WindowsClassicLookAndFeel {
@Override protected void initClassDefaults(UIDefaults table){
super.initClassDefaults(table);
Object[] uiDefaults = { "LabelUI", WindowsLabelExtUI.class.getCanonicalName()};
table.putDefaults(uiDefaults);
}
}
Run Code Online (Sandbox Code Playgroud)
您还需要一个 WindowsLabelExtUI 类来管理所有 JLabel 并设置属性:
package testSwing;
import javax.swing.JComponent;
import javax.swing.plaf.ComponentUI;
import com.sun.java.swing.plaf.windows.WindowsLabelUI;
public class WindowsLabelExtUI extends WindowsLabelUI{
static WindowsLabelExtUI singleton = new WindowsLabelExtUI();
public static ComponentUI createUI(JComponent c){
c.putClientProperty("html.disable", Boolean.TRUE);
return singleton;
}
}
Run Code Online (Sandbox Code Playgroud)
最后一个测试类,当你将主题设置为 WindowsClassicLookAndFeelExt
package testSwing;
import java.awt.FlowLayout;
import javax.swing.JFrame;
import javax.swing.JLabel;
import javax.swing.JList;
import javax.swing.JScrollPane;
import javax.swing.UIManager;
public class Main{
public static void main(String[] args){
try{ UIManager.setLookAndFeel(WindowsClassicLookAndFeelExt.class.getCanonicalName());
}catch (Exception e){
e.printStackTrace();
}
JFrame frame = new JFrame("JList Test");
frame.setLayout(new FlowLayout());
frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
String[] selections = {"<html><img src='http:\\\\invalid\\url'>", "<html><H1>Hello</h1></html>", "orange", "dark blue"};
JList list = new JList(selections);
list.setSelectedIndex(1);
System.out.println(list.getSelectedValue());
JLabel jLabel = new JLabel("<html><h2>standard Label</h2></html>");
frame.add(new JScrollPane(list));
frame.add(jLabel);
frame.pack();
frame.setVisible(true);
}
}
Run Code Online (Sandbox Code Playgroud)
你会看到类似的东西

对于简单的 JLabel,可以调用 JComponent 方法
myLabel.putClientProperty("html.disable", Boolean.TRUE);
Run Code Online (Sandbox Code Playgroud)
在要禁用 HTML 呈现的标签上。
对于 JTable、JTree 或 JList 之类的内容,您需要创建一个自定义单元格渲染器来设置此属性。下面是一个例子(从改性该示例中,创建了一个自定义的单元格渲染器)的JList。
import java.awt.Component;
import java.awt.FlowLayout;
import javax.swing.JFrame;
import javax.swing.JLabel;
import javax.swing.JList;
import javax.swing.JScrollPane;
import javax.swing.ListCellRenderer;
public class JListTest {
public static void main(String[] args) {
JFrame.setDefaultLookAndFeelDecorated(true);
JFrame frame = new JFrame("JList Test");
frame.setLayout(new FlowLayout());
frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
String[] selections = { "<html><img src='http:\\\\invalid\\url'>",
"red", "orange", "dark blue" };
JList list = new JList(selections);
// set the list cell renderer to the custom class defined below
list.setCellRenderer(new MyCellRenderer());
list.setSelectedIndex(1);
System.out.println(list.getSelectedValue());
frame.add(new JScrollPane(list));
frame.pack();
frame.setVisible(true);
}
}
class MyCellRenderer extends JLabel implements ListCellRenderer {
public MyCellRenderer() {
setOpaque(true);
putClientProperty("html.disable", Boolean.TRUE);
}
public Component getListCellRendererComponent(
JList list,
Object value,
int index,
boolean isSelected,
boolean cellHasFocus)
{
setText(value.toString());
return this;
}
}
Run Code Online (Sandbox Code Playgroud)
我使用ListCellRenderer文档中的示例代码作为自定义列表单元格渲染器的起点。
当我运行该示例时,您可以看到第一个列表条目中的 HTML 被呈现而不是被解释。

由于无法将html.disable每个 created的属性全局设置为 true JLabel,一种hacky方法(我说hacky是因为我不确定对性能的影响,或者这样的解决方案是否可以用于生产)是做一些每个创建的JLabel实例的字节码拦截。像 ByteBuddy 这样的库可以做到这一点。我对 ByteBuddy 进行了一些试验,并找到了一种设置Java 代理的setText()方法,该代理拦截对JLabel. 在JLabel使用提供的文本创建 a 时调用此方法。
import net.bytebuddy.agent.builder.AgentBuilder;
import net.bytebuddy.agent.builder.AgentBuilder.InitializationStrategy;
import net.bytebuddy.agent.builder.AgentBuilder.Listener;
import net.bytebuddy.agent.builder.AgentBuilder.RedefinitionStrategy;
import net.bytebuddy.agent.builder.AgentBuilder.TypeStrategy;
import net.bytebuddy.asm.Advice;
import net.bytebuddy.dynamic.loading.ClassInjector;
import net.bytebuddy.implementation.MethodDelegation;
import net.bytebuddy.implementation.SuperMethodCall;
import net.bytebuddy.matcher.ElementMatchers;
import net.bytebuddy.matcher.StringMatcher;
import java.io.File;
import java.io.IOException;
import java.lang.instrument.Instrumentation;
import java.nio.file.Files;
import static java.util.Collections.singletonMap;
import static net.bytebuddy.description.type.TypeDescription.ForLoadedType;
import static net.bytebuddy.dynamic.ClassFileLocator.ForClassLoader.read;
import static net.bytebuddy.dynamic.loading.ClassInjector.UsingInstrumentation.Target.BOOTSTRAP;
import static net.bytebuddy.matcher.ElementMatchers.*;
public class JLabelAgent {
private static final Class<?> INTERCEPTOR_CLASS = JLabelInterceptor.class;
private JLabelAgent() {
}
public static void premain(String arg, Instrumentation instrumentation) throws Exception {
injectBootstrapClasses(instrumentation);
new AgentBuilder.Default()
.with(RedefinitionStrategy.RETRANSFORMATION)
.with(InitializationStrategy.NoOp.INSTANCE)
.with(TypeStrategy.Default.REDEFINE)
.ignore(new AgentBuilder.RawMatcher.ForElementMatchers(nameStartsWith("net.bytebuddy.").or(isSynthetic()), any(), any()))
.with(new Listener.Filtering(
new StringMatcher("javax.swing.JLabel", StringMatcher.Mode.EQUALS_FULLY),
Listener.StreamWriting.toSystemOut()))
.type(named("javax.swing.JLabel"))
.transform((builder, type, classLoader, module) ->
builder.visit(Advice.to(INTERCEPTOR_CLASS).on(named("setText")))
)
.installOn(instrumentation);
}
private static void injectBootstrapClasses(Instrumentation instrumentation) throws IOException {
File temp = Files.createTempDirectory("tmp").toFile();
temp.deleteOnExit();
ClassInjector.UsingInstrumentation.of(temp, BOOTSTRAP, instrumentation)
.inject(singletonMap(new ForLoadedType(INTERCEPTOR_CLASS), read(INTERCEPTOR_CLASS)));
}
}
Run Code Online (Sandbox Code Playgroud)
import javax.swing.JComponent;
import net.bytebuddy.asm.Advice;
import net.bytebuddy.asm.Advice.Argument;
import net.bytebuddy.asm.Advice.This;
public class JLabelInterceptor {
@Advice.OnMethodEnter()
public static void setText(@This Object label, @Argument(0) String text) {
((JComponent) label).putClientProperty("html.disable", Boolean.TRUE);
System.out.println("Label text is " + text);
}
}
Run Code Online (Sandbox Code Playgroud)
public static void main(String[] args) throws Exception {
JFrame frame = new JFrame("JList Test");
frame.setLayout(new FlowLayout());
frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
String[] selections = {"<html><img src='http:\\\\invalid\\url'>", "<html><H1>Hello</h1></html>", "orange", "dark blue"};
JList list = new JList(selections);
list.setSelectedIndex(1);
System.out.println(list.getSelectedValue());
JLabel jLabel = new JLabel("<html><h2>standard Label</h2></html>");
frame.add(new JScrollPane(list));
frame.add(jLabel);
frame.pack();
frame.setVisible(true);
}
Run Code Online (Sandbox Code Playgroud)
编译 Java 代理,然后运行示例:
java -javaagent:agent.jar -jar example.jar
Run Code Online (Sandbox Code Playgroud)
注意:在使用 Maven 构建代理 Jar 时,我必须在 POM 中放置以下配置来设置清单:
<plugin>
<artifactId>maven-jar-plugin</artifactId>
<configuration>
<archive>
<manifestEntries>
<Can-Redefine-Classes>true</Can-Redefine-Classes>
<Can-Retransform-Classes>true</Can-Retransform-Classes>
<Agent-Class>example.JLabelAgent</Agent-Class>
<Premain-Class>example.JLabelAgent</Premain-Class>
<Boot-Class-Path>byte-buddy-1.10.14.jar</Boot-Class-Path>
</manifestEntries>
</archive>
</configuration>
</plugin>
Run Code Online (Sandbox Code Playgroud)
| 归档时间: |
|
| 查看次数: |
2409 次 |
| 最近记录: |