[
https://issues.apache.org/jira/browse/TIKA-2561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16349427#comment-16349427
]
Asela commented on TIKA-2561:
-----------------------------
Hello [~talli...@mitre.org] ,
As I understand one of the features JSoup provides is to clean/sanitise HTML.
If this feature of JSoup is leveraged at all somewhere then I guess the
implication here is that the clean may not be working as expected and still
generate markup that has XSS in it.
https://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer
> Tika Parser includes oudated/vulnerable version of JSoup
> --------------------------------------------------------
>
> Key: TIKA-2561
> URL: https://issues.apache.org/jira/browse/TIKA-2561
> Project: Tika
> Issue Type: Bug
> Components: parser
> Affects Versions: 1.17
> Reporter: Asela
> Priority: Major
>
> org.apache.tika:tika-parsers:1.17 pulls in dependency JSoup 1.7.2.
>
> JSoup versions older than 1.8.3 have a vulnerability in parsing.
>
> https://nvd.nist.gov/vuln/detail/CVE-2015-6748
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
