HJW8472 · HJW8472 · Mar 30, 2020 · Mar 30, 2020
diff --git a/src/main/java/org/owasp/esapi/SecurityConfiguration.java b/src/main/java/org/owasp/esapi/SecurityConfiguration.java
@@ -640,13 +640,6 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
      */
     InputStream getResourceStream( String filename ) throws IOException;
 
-    /**
-     * Used to load antisamy-esapi.xml from a variety of different classpath locations.
-     *
-     * @param fileName The resource file filename.
-     */
-	InputStream getResourceStreamFromClasspath( String fileName );
-
 	/**
 	 * Sets the ESAPI resource directory.
 	 * 

diff --git a/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java b/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
@@ -627,64 +627,6 @@ public File getResourceFile(String filename) {
 		return null;
 	}
 
-    /**
-     * Used to load antisamy-esapi.xml from a variety of different classpath locations.
-     *
-     * @param fileName The resource file filename.
-     */
-	public InputStream getResourceStreamFromClasspath(String fileName) {
-		InputStream resourceStream = null;
-
-		ClassLoader[] loaders = new ClassLoader[] {
-				Thread.currentThread().getContextClassLoader(),
-				ClassLoader.getSystemClassLoader(),
-				getClass().getClassLoader() 
-		};
-
-        for (ClassLoader loader : loaders) {
-			// try root
-			String currentClasspathSearchLocation = "/ (root)";
-            resourceStream = loader.getResourceAsStream(DefaultSearchPath.ROOT.value() + fileName);
-
-			// try resourceDirectory folder
-			if (resourceStream == null){
-				currentClasspathSearchLocation = resourceDirectory + "/";
-				resourceStream = loader.getResourceAsStream(DefaultSearchPath.RESOURCE_DIRECTORY.value() + fileName);
-			}
-
-			// try .esapi folder. Look here first for backward compatibility.
-			if (resourceStream == null){
-				currentClasspathSearchLocation = ".esapi/";
-				resourceStream = loader.getResourceAsStream(DefaultSearchPath.DOT_ESAPI.value() + fileName);
-			}
-
-			// try esapi folder (new directory)
-			if (resourceStream == null){
-				currentClasspathSearchLocation = "esapi/";
-				resourceStream = loader.getResourceAsStream(DefaultSearchPath.ESAPI.value() + fileName);
-			}
-
-			// try resources folder
-			if (resourceStream == null){
-				currentClasspathSearchLocation = "resources/";
-				resourceStream = loader.getResourceAsStream(DefaultSearchPath.RESOURCES.value() + fileName);
-			}
-
-			// try src/main/resources folder
-			if (resourceStream == null){
-				currentClasspathSearchLocation = "src/main/resources/";
-				resourceStream = loader.getResourceAsStream(DefaultSearchPath.SRC_MAIN_RESOURCES.value() + fileName);
-			}
-
-            if (resourceStream != null) {
-				logSpecial("SUCCESSFULLY LOADED " + fileName + " via the CLASSPATH from '" + currentClasspathSearchLocation + "'!");
-                break; // Outta here since we've found and loaded it.
-            }
-        }
-
-		return resourceStream;
-	}
-
     /**
      * Used to load ESAPI.properties from a variety of different classpath locations.
      *

diff --git a/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java b/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
@@ -30,6 +30,7 @@
 import org.owasp.validator.html.Policy;
 import org.owasp.validator.html.PolicyException;
 import org.owasp.validator.html.ScanException;
+import org.owasp.esapi.reference.DefaultSecurityConfiguration;
 
 
 /**
@@ -48,6 +49,77 @@ public class HTMLValidationRule extends StringValidationRule {
 	private static final Logger LOGGER = ESAPI.getLogger( "HTMLValidationRule" );
 	private static final String ANTISAMYPOLICY_FILENAME = "antisamy-esapi.xml";
 
+    /**
+     * Used to load antisamy-esapi.xml from a variety of different classpath locations.
+	 * The classpath locations are the same classpath locations as used to load esapi.properties.
+	 * See DefaultSecurityConfiguration.DefaultSearchPath.
+     *
+     * @param fileName The resource file filename.
+     */
+	private static InputStream getResourceStreamFromClasspath(String fileName) {
+		InputStream resourceStream = null;
+
+		ClassLoader[] loaders = new ClassLoader[] {
+				Thread.currentThread().getContextClassLoader(),
+				ClassLoader.getSystemClassLoader(),
+				ESAPI.securityConfiguration().getClass().getClassLoader()  
+						/* can't use just getClass.getClassLoader() in a static context, so using the DefaultSecurityConfiguration class. */
+		};
+
+		String[] classLoaderNames = {
+				"current thread context class loader",
+				"system class loader",
+				"class loader for DefaultSecurityConfiguration class"
+		};
+
+		int i = 0;
+        for (ClassLoader loader : loaders) {
+			// try root
+			String currentClasspathSearchLocation = "/ (root)";
+            resourceStream = loader.getResourceAsStream(DefaultSecurityConfiguration.DefaultSearchPath.ROOT.value() + fileName);
+
+			// try resourceDirectory folder
+			if (resourceStream == null){
+				currentClasspathSearchLocation = DefaultSecurityConfiguration.DefaultSearchPath.RESOURCE_DIRECTORY.value();
+				resourceStream = loader.getResourceAsStream(currentClasspathSearchLocation + fileName);
+			}
+
+			// try .esapi folder. Look here first for backward compatibility.
+			if (resourceStream == null){
+				currentClasspathSearchLocation = DefaultSecurityConfiguration.DefaultSearchPath.DOT_ESAPI.value();
+				resourceStream = loader.getResourceAsStream(currentClasspathSearchLocation + fileName);
+			}
+
+			// try esapi folder (new directory)
+			if (resourceStream == null){
+				currentClasspathSearchLocation = DefaultSecurityConfiguration.DefaultSearchPath.ESAPI.value();
+				resourceStream = loader.getResourceAsStream(currentClasspathSearchLocation + fileName);
+			}
+
+			// try resources folder
+			if (resourceStream == null){
+				currentClasspathSearchLocation = DefaultSecurityConfiguration.DefaultSearchPath.RESOURCES.value();
+				resourceStream = loader.getResourceAsStream(currentClasspathSearchLocation + fileName);
+			}
+
+			// try src/main/resources folder
+			if (resourceStream == null){
+				currentClasspathSearchLocation = DefaultSecurityConfiguration.DefaultSearchPath.SRC_MAIN_RESOURCES.value();
+				resourceStream = loader.getResourceAsStream(currentClasspathSearchLocation + fileName);
+			}
+
+            if (resourceStream != null) {
+				LOGGER.info(Logger.EVENT_FAILURE, "SUCCESSFULLY LOADED " + fileName + " via the CLASSPATH from '" + 
+					currentClasspathSearchLocation + "' using " + classLoaderNames[i] + "!");
+                break; // Outta here since we've found and loaded it.
+            }
+
+			i++;
+        }
+
+		return resourceStream;
+	}
+
 	static {
         InputStream resourceStream = null;
 		try {
@@ -56,7 +128,7 @@ public class HTMLValidationRule extends StringValidationRule {
 
 			LOGGER.info(Logger.EVENT_FAILURE, "Loading " + ANTISAMYPOLICY_FILENAME + " from classpaths");
 
-			resourceStream = ESAPI.securityConfiguration().getResourceStreamFromClasspath(ANTISAMYPOLICY_FILENAME);
+			resourceStream = getResourceStreamFromClasspath(ANTISAMYPOLICY_FILENAME);
 		}
         if (resourceStream != null) {
         	try {