Guava removal breaks compatibility (with JDK9)

[csware]

The minimum required Java version was explicitly raised to 9 with the recent removal of Guava (cf. commit 3b6cc1b7e6d7992c5b15f87f91dc163de7d35c05).

I appreciate that Guava was dropped recently, however, there is a problem: Map.copyOf (also List.copyOf) was first introduced with Java 10.

The method Files.readString used in the tests, was introduced with Java 11 (here, Commons-IO could be used, or just plain new String(Files.readAllBytes(path), Charsets.toCharset(charset));).

I suppose reasons are:

1. The compiler plugin is too old and does not support the --release parameter (cf. #304)
2. No automatic checks are automatically executed (cf. #305)

[csware]

PR #302 reduces the usage of *.copyOf, still there are some places where it is used.

Should we introduce our own helper method? Or build a multi-release jar in which the helper just delegates to the JRE classes?

In general, JDK8 compatibility can be achieved without too much effort if needed.

[csware]

Btw. for me the following tests fails (itroduced by commit 91c5fdc146a01aab1e8b0db38be449a960fe88c1):

org.owasp.html.HtmlPolicyBuilderTest
testRelLinksWhenRelisPartOfData(org.owasp.html.HtmlPolicyBuilderTest)
junit.framework.AssertionFailedError: Failure in testRelLinksWhenRelisPartOfData

[melloware]

I am not sure Java9 should be supported as its a Non LTS version: https://www.oracle.com/java/technologies/java-se-support-roadmap.html

I think Java 11 LTS is the lowest version that should be supported

[csware]

Many Apache Common projects still target 1.8 that's why I'm asking. Otherwise, we should target Java 11 (and update all respective references).

[csware]

Here you can find a proof of concept for supporting Java 1.8: https://github.com/csware/java-html-sanitizer/tree/target-jdk8, diff: https://github.com/csware/java-html-sanitizer/compare/main..target-jdk8

[melloware]

I like the idea of supporting JDK8

[csware]

I'd like to have the other PRs mergred first, then I can provide a new MR that will bring JDK9 and (if wanted) JDK8 compatibility. Please merge the other PRs first as there are dependencies.

I have two questions:

• At several places I've spotted <? extends String> what is the reason for that? String is final. What about changing these to <String> (especially for internal classes, cf. https://github.com/csware/java-html-sanitizer/tree/cleanup-classtypeparameters)?
• In https://github.com/OWASP/java-html-sanitizer/blob/91c5fdc146a01aab1e8b0db38be449a960fe88c1/src/main/java/org/owasp/html/ElementAndAttributePolicies.java#L56, https://github.com/OWASP/java-html-sanitizer/blob/91c5fdc146a01aab1e8b0db38be449a960fe88c1/src/main/java/org/owasp/html/HtmlPolicyBuilder.java#L1011 and https://github.com/OWASP/java-html-sanitizer/blob/91c5fdc146a01aab1e8b0db38be449a960fe88c1/src/main/java/org/owasp/html/HtmlPolicyBuilder.java#L877 copies are made, but the constructors are package scope so those are technically not requiured as in https://github.com/OWASP/java-html-sanitizer/blob/91c5fdc146a01aab1e8b0db38be449a960fe88c1/src/main/java/org/owasp/html/PolicyFactory.java#L69). Can we drop these? Or replace by Collections.unmodifiable*() (and remove those calles from the calling side)?

[melloware]

Ok I think we should shoot for JDK8

[csware]

@mikesamuel I would be happy to discuss this with you...

[mikesamuel]

My concern with defensive copies without {Map,List,Set}.copyOf, as noted at https://github.com/OWASP/java-html-sanitizer/pull/321#issuecomment-1924646239 is that defensive copies after the first are not cheap.

iirc, the decision to go with JDK 10 (we thought they were 9 which is on me) was that the .of and .copyOf factories recognize each others' outputs and so one can pass a collection through multiple layers that defensively copy without incurring the cost of those copies multiple times.

which is referring to these implementation notes:

static <K,V> Map<K,V> copyOf​(Map<? extends K,? extends V> map)

Implementation Note: If the given Map is an unmodifiable Map, calling copyOf will generally not create a copy.

How might we keep redundant copies cheap?

[csware]

I'm using a wrapper in my JDK8 branch and building a multi-release jar (cf. https://github.com/csware/java-html-sanitizer/compare/main..target-jdk8b).

Also, are there many places where additional copies are made (apart from the ones mentioned in https://github.com/OWASP/java-html-sanitizer/issues/301#issuecomment-1919825639)?

[wcruppel]

Removing the dependency on Guava is GOOD. Adding a dependency on Java 9 is BAD. I mean, really?! This isn't even LTS.

This is a surefire way to force people (including my group) to find an alternative. We have a hard requirement on Java 8 and will for the foreseeable future.

So, please reconsider.

As @csware notes, JDK8 compatibility can be achieved without too much effort

[rombert]

Should this issue be closed? https://github.com/OWASP/java-html-sanitizer/releases/tag/release-20240325.1 is listed as having Java 8 compatibility via https://github.com/OWASP/java-html-sanitizer/pull/328 .