Closed mpreziuso closed 4 months ago
@mpreziuso - Because there are no actual code changes here that will go into the ESAPI jar (the few code changes were simply adjustments to JUnit tests caused by the update to AntiSamy 1.7.5), I am not going to ask you to go back and do this PR over and sign your commits, but for a while now, we have been requiring signed commits. I would suggest reading through https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification and then creating and uploading your public signing key. Had this been code changes that would have ended up in the ESAPI jar though, I would have rejected this PR until this was corrected.
An important note: CVE-2024-23635 does NOT impact ESAPI unless you have added AntiSamy's 'preserveComments
' directive to ESAPI's AntiSamy policy file, "antisamy-esapi.xml", which I would consider similar to intentionally sabotaging yourself. For further details, please see my post "Before you panic - New AntiSamy release available" made to the esapi-project-users Google group.
This is to resolve CVE-2024-23635 relating to Antisamy 1.7.4. It's related and similar to https://github.com/ESAPI/esapi-java-legacy/pull/830, however it resolves dependency conflicts and updates 2 test cases as the output we get from Antisamy looks a bit different. I think this is to be expected: as mentioned in the release notes for Antisamy 1.7.5 the output may have changed again:
Also related to: https://github.com/nahsra/antisamy/issues/389 and https://github.com/nahsra/antisamy/pull/388.