[
https://issues.apache.org/jira/browse/SLING-13093?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18056120#comment-18056120
]
Julian Reschke edited comment on SLING-13093 at 2/3/26 7:32 AM:
----------------------------------------------------------------
{{diff --git a/pom.xml b/pom.xml}}
{{index 4437740..bd69caa 100644}}
{{--- a/pom.xml}}
{{+++ b/pom.xml}}
{{@@ -79,7 +79,7 @@}}
{{ <dependency>}}
{{ <groupId>org.owasp.esapi</groupId>}}
{{ <artifactId>esapi</artifactId>}}
{{- <version>2.6.0.0</version>}}
{{+ <version>2.6.2.0</version>}}
{{ <scope>provided</scope>}}
{{ <exclusions>}}
{{ <exclusion>}}
should be sufficient.
was (Author: reschke):
{{diff --git a/pom.xml b/pom.xml}}
{{index 4437740..bd69caa 100644}}
{{--- a/pom.xml}}
{{+++ b/pom.xml}}
{{@@ -79,7 +79,7 @@}}
{{ <dependency>}}
{{ <groupId>org.owasp.esapi</groupId>}}
{{ <artifactId>esapi</artifactId>}}
{{- <version>2.6.0.0</version>}}
{{+ <version>2.6.2.0</version>}}
{{ <scope>provided</scope>}}
{{ <exclusions>}}
{{ <exclusion>}}
> Sling XSS should not depend on log4j 1.x
> ----------------------------------------
>
> Key: SLING-13093
> URL: https://issues.apache.org/jira/browse/SLING-13093
> Project: Sling
> Issue Type: Bug
> Components: XSS Protection API
> Affects Versions: XSS Protection API 2.4.8
> Reporter: Carsten Ziegeler
> Priority: Critical
>
> Some component currently requires org.apache.log4j, at least this is in the
> package imports.
> As log4j 1.x is out of life since over ten years
> (https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html), this
> dependency needs to be removed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
