search

vsch / flexmark-java

CommonMark/Markdown Java parser with source level AST. CommonMark 0.28, emulation of: pegdown, kramdown, markdown.pl, MultiMarkdown. With HTML to MD, MD to PDF, MD to DOCX conversion modules.
BSD 2-Clause "Simplified" License
2.25k stars 265 forks source link

CVE-2021-37714: update jsoup #505

Open goto1134 opened 2 years ago

goto1134 commented 2 years ago

openhtmltopdf-jsoup-dom-converter has org.jsoup:jsoup:1.11.3 depencency. This version is vulnerable to CVE-2021-37714.

To fix it, follow the advice GHSA-m72m-mhq2-9p6c and update to org.jsoup:jsoup:1.14.2 and higher.

The related issue in openhtmltopdf: https://github.com/danfickle/openhtmltopdf/issues/828

snv commented 2 years ago

Apparently this is a false positive, since all modules of flexmark override this with a newer jsoup, it just is not explicitly excluded on the openhtmltopdf-jsoup-dom-converter dependency (which would prevent this false positive).

This dependency itself might be worth to remove though. It's own description marks it as deprecated:

DEPRECATED MODULE FOR REMOVAL: Use Jsoup provided W3CDom helper class instead. Open HTML to PDF is a CSS 2.1 renderer written in Java. This artifact supports converting a Jsoup HTML5 instance into a DOM supported by Open HTML to PDF.

kkomissarchik commented 1 year ago

Any updates on a fix timeline?

ebresie commented 1 year ago

So is this saying using something like https://jsoup.org/apidocs/org/jsoup/helper/class-use/W3CDom.html ?