[
https://issues.apache.org/jira/browse/SLING-13093?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18056119#comment-18056119
]
Julian Reschke commented on SLING-13093:
----------------------------------------
{{[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.0:provided}}
{{[INFO] +- org.owasp.encoder:encoder:jar:1.2.3:provided}}
{{[INFO] +- org.owasp.esapi:esapi:jar:2.6.0.0:provided}}
{{[INFO] | +- xom:xom:jar:1.3.9:provided}}
{{[INFO] | +- commons-beanutils:commons-beanutils:jar:1.9.4:provided}}
{{[INFO] | | \- commons-logging:commons-logging:jar:1.2:provided}}
> Sling XSS should not depend on log4j 1.x
> ----------------------------------------
>
> Key: SLING-13093
> URL: https://issues.apache.org/jira/browse/SLING-13093
> Project: Sling
> Issue Type: Bug
> Components: XSS Protection API
> Affects Versions: XSS Protection API 2.4.8
> Reporter: Carsten Ziegeler
> Priority: Critical
>
> Some component currently requires org.apache.log4j, at least this is in the
> package imports.
> As log4j 1.x is out of life since over ten years
> (https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html), this
> dependency needs to be removed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
