Hi, Regarding the recent Apache Commons Text advisory (https://blogs.apache.org/security/entry/cve-2022-42889), Syncope uses the StringSubstitutor API here:
https://github.com/apache/syncope/blob/7309dd303f2fe9238df4b69776f6284a87549599/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/ContentLoaderHandler.java Can you confirm please that all of the input used with StringSubstitutor in this class can be classified as "trusted input"? Thanks, Colm.