Closed csware closed 3 months ago
PR #302 reduces the usage of *.copyOf
, still there are some places where it is used.
Should we introduce our own helper method? Or build a multi-release jar in which the helper just delegates to the JRE classes?
In general, JDK8 compatibility can be achieved without too much effort if needed.
Btw. for me the following tests fails (itroduced by commit 91c5fdc146a01aab1e8b0db38be449a960fe88c1):
org.owasp.html.HtmlPolicyBuilderTest
testRelLinksWhenRelisPartOfData(org.owasp.html.HtmlPolicyBuilderTest)
junit.framework.AssertionFailedError: Failure in testRelLinksWhenRelisPartOfData
I am not sure Java9 should be supported as its a Non LTS version: https://www.oracle.com/java/technologies/java-se-support-roadmap.html
I think Java 11 LTS is the lowest version that should be supported
Many Apache Common projects still target 1.8 that's why I'm asking. Otherwise, we should target Java 11 (and update all respective references).
Here you can find a proof of concept for supporting Java 1.8: https://github.com/csware/java-html-sanitizer/tree/target-jdk8, diff: https://github.com/csware/java-html-sanitizer/compare/main..target-jdk8
I like the idea of supporting JDK8
I'd like to have the other PRs mergred first, then I can provide a new MR that will bring JDK9 and (if wanted) JDK8 compatibility. Please merge the other PRs first as there are dependencies.
I have two questions:
<? extends String>
what is the reason for that? String is final. What about changing these to <String>
(especially for internal classes, cf. https://github.com/csware/java-html-sanitizer/tree/cleanup-classtypeparameters)?Collections.unmodifiable*()
(and remove those calles from the calling side)?Ok I think we should shoot for JDK8
@mikesamuel I would be happy to discuss this with you...
My concern with defensive copies without {Map,List,Set}.copyOf
, as noted at https://github.com/OWASP/java-html-sanitizer/pull/321#issuecomment-1924646239 is that defensive copies after the first are not cheap.
iirc, the decision to go with JDK 10 (we thought they were 9 which is on me) was that the .of and .copyOf factories recognize each others' outputs and so one can pass a collection through multiple layers that defensively copy without incurring the cost of those copies multiple times.
which is referring to these implementation notes:
static <K,V> Map<K,V> copyOf(Map<? extends K,? extends V> map)
Implementation Note: If the given Map is an unmodifiable Map, calling copyOf will generally not create a copy.
How might we keep redundant copies cheap?
I'm using a wrapper in my JDK8 branch and building a multi-release jar (cf. https://github.com/csware/java-html-sanitizer/compare/main..target-jdk8b).
Also, are there many places where additional copies are made (apart from the ones mentioned in https://github.com/OWASP/java-html-sanitizer/issues/301#issuecomment-1919825639)?
Removing the dependency on Guava is GOOD. Adding a dependency on Java 9 is BAD. I mean, really?! This isn't even LTS.
This is a surefire way to force people (including my group) to find an alternative. We have a hard requirement on Java 8 and will for the foreseeable future.
So, please reconsider.
As @csware notes, JDK8 compatibility can be achieved without too much effort
Should this issue be closed? https://github.com/OWASP/java-html-sanitizer/releases/tag/release-20240325.1 is listed as having Java 8 compatibility via https://github.com/OWASP/java-html-sanitizer/pull/328 .
The minimum required Java version was explicitly raised to 9 with the recent removal of Guava (cf. commit 3b6cc1b7e6d7992c5b15f87f91dc163de7d35c05).
I appreciate that Guava was dropped recently, however, there is a problem:
Map.copyOf
(alsoList.copyOf
) was first introduced with Java 10.The method
Files.readString
used in the tests, was introduced with Java 11 (here, Commons-IO could be used, or just plainnew String(Files.readAllBytes(path), Charsets.toCharset(charset));
).I suppose reasons are:
--release
parameter (cf. #304)