[jira] [Commented] (SLING-13093) Sling XSS should not depend on log4j 1.x

Carsten Ziegeler (Jira) Mon, 02 Feb 2026 23:44:12 -0800


    [ 
https://issues.apache.org/jira/browse/SLING-13093?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18056123#comment-18056123
 ]


Carsten Ziegeler commented on SLING-13093:
------------------------------------------

if possible, yes

> Sling XSS should not depend on log4j 1.x
> ----------------------------------------
>
>                 Key: SLING-13093
>                 URL: https://issues.apache.org/jira/browse/SLING-13093
>             Project: Sling
>          Issue Type: Bug
>          Components: XSS Protection API
>    Affects Versions: XSS Protection API 2.4.8
>            Reporter: Carsten Ziegeler
>            Assignee: Julian Reschke
>            Priority: Critical
>
> Some component currently requires org.apache.log4j, at least this is in the 
> package imports.
> As log4j 1.x is out of life since over ten years 
> (https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html), this 
> dependency needs to be removed.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (SLING-13093) Sling XSS should not depend on log4j 1.x

Reply via email to