[ https://issues.apache.org/jira/browse/TOBAGO-2304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17837150#comment-17837150 ]
Timur Muslimov commented on TOBAGO-2304: ---------------------------------------- Thank you, but I didn't found it in your release notes or in closed tasks: https://issues.apache.org/jira/browse/TOBAGO-2134?jql=project%20%3D%20TOBAGO%20AND%20fixVersion%20in%20(2.5.0%2C%202.5.1) > Update jsoup to 1.15.3 > ---------------------- > > Key: TOBAGO-2304 > URL: https://issues.apache.org/jira/browse/TOBAGO-2304 > Project: MyFaces Tobago > Issue Type: Task > Reporter: Timur Muslimov > Assignee: Henning Nöth > Priority: Major > > Because of the issue in the current version - > [CVE-2022-36033|https://nvd.nist.gov/vuln/detail/CVE-2022-36033]: > jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and > cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML > including `javascript:` URL expressions, which could allow XSS attacks when a > reader subsequently clicks that link. If the non-default > `SafeList.preserveRelativeLinks` option is enabled, HTML including > `javascript:` URLs that have been crafted with control characters will not be > sanitized. If the site that this HTML is published on does not set a Content > Security Policy, an XSS attack is then possible. This issue is patched in > jsoup 1.15.3. Users should upgrade to this version. Additionally, as the > unsanitized input may have been persisted, old content should be cleaned > again using the updated version. To remediate this issue without immediately > upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite > input URLs as absolute URLs - ensure an appropriate [Content Security > Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. > (This should be used regardless of upgrading, as a defence-in-depth best > practice.) -- This message was sent by Atlassian Jira (v8.20.10#820010)