Open goto1134 opened 2 years ago
Apparently this is a false positive, since all modules of flexmark override this with a newer jsoup, it just is not explicitly excluded on the openhtmltopdf-jsoup-dom-converter
dependency (which would prevent this false positive).
This dependency itself might be worth to remove though. It's own description marks it as deprecated:
DEPRECATED MODULE FOR REMOVAL: Use Jsoup provided W3CDom helper class instead. Open HTML to PDF is a CSS 2.1 renderer written in Java. This artifact supports converting a Jsoup HTML5 instance into a DOM supported by Open HTML to PDF.
Any updates on a fix timeline?
So is this saying using something like https://jsoup.org/apidocs/org/jsoup/helper/class-use/W3CDom.html ?
openhtmltopdf-jsoup-dom-converter has org.jsoup:jsoup:1.11.3 depencency. This version is vulnerable to CVE-2021-37714.
To fix it, follow the advice GHSA-m72m-mhq2-9p6c and update to org.jsoup:jsoup:1.14.2 and higher.
The related issue in openhtmltopdf: https://github.com/danfickle/openhtmltopdf/issues/828