[
https://issues.apache.org/jira/browse/TOBAGO-2304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17837150#comment-17837150
]
Timur Muslimov commented on TOBAGO-2304:
----------------------------------------
Thank you, but I didn't found it in your release notes or in closed tasks:
https://issues.apache.org/jira/browse/TOBAGO-2134?jql=project%20%3D%20TOBAGO%20AND%20fixVersion%20in%20(2.5.0%2C%202.5.1)
> Update jsoup to 1.15.3
> ----------------------
>
> Key: TOBAGO-2304
> URL: https://issues.apache.org/jira/browse/TOBAGO-2304
> Project: MyFaces Tobago
> Issue Type: Task
> Reporter: Timur Muslimov
> Assignee: Henning Nöth
> Priority: Major
>
> Because of the issue in the current version -
> [CVE-2022-36033|https://nvd.nist.gov/vuln/detail/CVE-2022-36033]:
> jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and
> cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML
> including `javascript:` URL expressions, which could allow XSS attacks when a
> reader subsequently clicks that link. If the non-default
> `SafeList.preserveRelativeLinks` option is enabled, HTML including
> `javascript:` URLs that have been crafted with control characters will not be
> sanitized. If the site that this HTML is published on does not set a Content
> Security Policy, an XSS attack is then possible. This issue is patched in
> jsoup 1.15.3. Users should upgrade to this version. Additionally, as the
> unsanitized input may have been persisted, old content should be cleaned
> again using the updated version. To remediate this issue without immediately
> upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite
> input URLs as absolute URLs - ensure an appropriate [Content Security
> Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined.
> (This should be used regardless of upgrading, as a defence-in-depth best
> practice.)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
