[
https://issues.apache.org/jira/browse/SLING-10953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17471885#comment-17471885
]
Robert Munteanu commented on SLING-10953:
-----------------------------------------
[~kwin] - AntiSamy 1.5.10 (and presumably earlier) to 1.6.4 rely on the
default discovery mechanism, and we relied on that to make sure Xalan was
selected.
AntiSamy 1.6.4 added a requirement for two JAXP 1.5 attributes that Xalan does
not support ( and never will, given that's it's basically EOL).
AntiSamy 1.6.5 plan to further restrict the choice of transformer factories by
hardcoding the selection to the JVM-provided one, which IMO is quite a bad
choice.
I am trying to convince them to revert to using the transformer factory
discovery mechanism and also to tolerate XML parsers that don't support the
attributes they now require.
> Update dependency Antisamy version from 1.5.10 to 1.6.4
> -------------------------------------------------------
>
> Key: SLING-10953
> URL: https://issues.apache.org/jira/browse/SLING-10953
> Project: Sling
> Issue Type: Improvement
> Reporter: Tatyana Vogel
> Assignee: Robert Munteanu
> Priority: Major
> Fix For: XSS Protection API 2.2.18
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The latest version of AntiSamy is 1.6.4, see
> https://search.maven.org/search?q=g:org.owasp.antisamy%20AND%20a:antisamy .
> We should upgrade to that version, since we embed the AntiSamy bundle and
> there is no other way for consumers of the bundle to upgrade.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
