search

OWASP / java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
Other
847 stars 213 forks source link

All-in-one version with shaded guava #157

Closed cnsgithub closed 8 months ago

cnsgithub commented 5 years ago

Hi,

I'd like to use owasp-java-html-sanitizer in PrimeFaces (a popular JSF component suite). However, because of very restrictive policies regarding the use of third-party policies my PR cannot be merged.

The problem is the dependency to guava, which is a really big one that is also widely used and therefore version conflicts are conceivable.

So I come to the question if it would be possible for you to provide an additional all-in-one version of owasp-java-html-sanitizer having the guava dependency shaded?

Please see https://github.com/primefaces/primefaces/issues/3214 for the reasons why my PR was reverted.

Thanks.

blackmagic0 commented 5 years ago

Just for the sake of documenting collisions, OWASP using guava 19.0 makes it incompatible with graphql-java-tools 5.2.4, and graphql-java-servlet 6.2.0.

jmanico commented 5 years ago

Duly noted. Thank you for this update.

On 10/24/18 9:46 AM, Jacob Pozaic wrote:

Just for the sake of documenting collisions, OWASP using guava 19.0 makes it incompatible with graphql-java-tools 5.2.4, and graphql-java-servlet 6.2.0.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/OWASP/java-html-sanitizer/issues/157#issuecomment-432662908, or mute the thread https://github.com/notifications/unsubscribe-auth/AAgcCahYZJqTdENdGSUWDBROVAa0NKD1ks5uoG9JgaJpZM4XZF3M.

tandraschko commented 5 years ago

@mikesamuel is there a possibilty to move away from guava? other owasp libs (like esapi or encoder) doesn't use guava AFAICS

we could even do the change probably and provide a PR for it.

fr4x1nu5 commented 5 years ago

Used guava imports: https://github.com/OWASP/java-html-sanitizer/search?p=1&q=in%3Afile+%22import+com.google%22

commodis commented 3 years ago

Most imports seem to be optional after using Java 8+ and reimplement some functionality

stolp commented 1 year ago

After having this open for almost five years now and a having pull request #272 open for resolving it, could you please reconsider removing this dependency?

seinecle commented 1 year ago

still interested in this issue: Primefaces is using this sanitizer and as a result it gets Guava on board. Any way that Guava can be ditched? Thank you!