[ https://issues.apache.org/jira/browse/TIKA-2561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16349427#comment-16349427 ]
Asela commented on TIKA-2561: ----------------------------- Hello [~talli...@mitre.org] , As I understand one of the features JSoup provides is to clean/sanitise HTML. If this feature of JSoup is leveraged at all somewhere then I guess the implication here is that the clean may not be working as expected and still generate markup that has XSS in it. https://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer > Tika Parser includes oudated/vulnerable version of JSoup > -------------------------------------------------------- > > Key: TIKA-2561 > URL: https://issues.apache.org/jira/browse/TIKA-2561 > Project: Tika > Issue Type: Bug > Components: parser > Affects Versions: 1.17 > Reporter: Asela > Priority: Major > > org.apache.tika:tika-parsers:1.17 pulls in dependency JSoup 1.7.2. > > JSoup versions older than 1.8.3 have a vulnerability in parsing. > > https://nvd.nist.gov/vuln/detail/CVE-2015-6748 -- This message was sent by Atlassian JIRA (v7.6.3#76005)