Skip to content

Commit

Permalink
Release 1.7.5 ready.
Browse files Browse the repository at this point in the history
  • Loading branch information
@davewichers
davewichers committed Feb 2, 2024
1 parent 3e84410 commit 12a2e31
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 28 deletions.
3 changes: 2 additions & 1 deletion SECURITY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,8 @@ These are the known CVEs reported for AntiSamy:
* AntiSamy CVE #3 - CVE-2021-35043: AntiSamy before 1.6.4 allows XSS via HTML attributes using &#00058 as replacement for : character - https://nvd.nist.gov/vuln/detail/CVE-2021-35043
* AntiSamy CVE #4 - CVE-2022-28367: AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content - https://nvd.nist.gov/vuln/detail/CVE-2022-28367. NOTE: This release only included a PARTIAL fix.
* AntiSamy CVE #5 - CVE-2022-29577: AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content - https://nvd.nist.gov/vuln/detail/CVE-2022-29577. This is the complete fix to the previous CVE.
* AntiSamy CVE #6 - CVE-2023-43643: AntiSamy before 1.7.4 subject to mXSS when preserving comments - https://nvd.nist.gov/vuln/detail/CVE-2023-43643
* AntiSamy CVE #6 - CVE-2023-43643: AntiSamy before 1.7.4 subject to mutation XSS (mXSS) when preserving comments - https://nvd.nist.gov/vuln/detail/CVE-2023-43643
* AntiSamy CVE #7 - CVE-2024-23635: AntiSamy before 1.7.5 subject to mXSS when preserving comments - https://nvd.nist.gov/vuln/detail/CVE-2024-23635

CVEs in AntiSamy dependencies:
* AntiSamy before 1.6.6 used the old CyberNeko HTML library net.sourceforge.nekohtml:nekohtml:1.9.22, which is subject to https://nvd.nist.gov/vuln/detail/CVE-2022-28366 and no longer maintained. AntiSamy 1.6.6 upgraded to an active fork of CyberNeko at net.sourceforge.htmlunit:neko-htmlunit which fixed this CVE in v2.27 of that library. AntiSamy 1.6.6 upgraded to net.sourceforge.htmlunit:neko-htmlunit:2.60.0
Expand Down
62 changes: 35 additions & 27 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<groupId>org.owasp.antisamy</groupId>
<artifactId>antisamy</artifactId>
<packaging>jar</packaging>
<version>1.7.5-SNAPSHOT</version>
<version>1.7.5</version>

<distributionManagement>
<snapshotRepository>
Expand Down Expand Up @@ -73,7 +73,7 @@
<fluido.version>2.0.0-M8</fluido.version>
<gpg.skip>true</gpg.skip><!-- by default skip gpg -->
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.build.outputTimestamp>2023-12-18T21:08:34Z</project.build.outputTimestamp>
<project.build.outputTimestamp>2024-02-02T15:23:04Z</project.build.outputTimestamp>
<project.java.target>1.8</project.java.target>
<version.findsecbugs>1.12.0</version.findsecbugs>
<version.slf4j>2.0.11</version.slf4j>
Expand All @@ -92,55 +92,50 @@

<dependencies>
<dependency>
<groupId>org.htmlunit</groupId>
<artifactId>neko-htmlunit</artifactId>
<version>3.11.0</version>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.15.1</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents.client5</groupId>
<artifactId>httpclient5</artifactId>
<version>5.3.1</version>
<exclusions>
<!-- exclude this old version as we directly import a newer one -->
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents.core5</groupId>
<artifactId>httpcore5</artifactId>
<version>5.2.4</version>
</dependency>
<dependency>
<groupId>org.apache.xmlgraphics</groupId>
<artifactId>batik-css</artifactId>
<version>1.17</version>
<exclusions>
<!-- exclude this old version of commons-io as newer can be used -->
<!-- exclude this old version as we directly import a newer one -->
<exclusion>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</exclusion>
<!-- exclude this as batik-css has a dependency that uses an older commons-logging and we want to eliminate the convergence mismatch -->
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.15.1</version>
<groupId>org.htmlunit</groupId>
<artifactId>neko-htmlunit</artifactId>
<version>3.11.1</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${version.slf4j}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>${version.slf4j}</version>
<scope>test</scope>
</dependency>
<!-- without this import you get: SLF4J: Defaulting to no-operation (NOP) logger implementation -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-simple</artifactId>
<version>${version.slf4j}</version>
<scope>test</scope>
</dependency>

<!-- While Java 7+ includes Xerces in the JRE, it apparently doesn't provide all the features we use that are in the 3rd party version.
So we import it directly. -->
<dependency>
Expand Down Expand Up @@ -201,6 +196,19 @@
<version>2.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>${version.slf4j}</version>
<scope>test</scope>
</dependency>
<!-- without this import you get: SLF4J: Defaulting to no-operation (NOP) logger implementation -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-simple</artifactId>
<version>${version.slf4j}</version>
<scope>test</scope>
</dependency>

</dependencies>

Expand Down

0 comments on commit 12a2e31

Please sign in to comment.