Skip to content

2.6.1.0
Compare
Choose a tag to compare
@kwwall kwwall released this 19 May 02:38
· 37 commits to develop since this release
esapi-2.6.1.0
This tag was signed with the committer’s verified signature.
kwwall Kevin W. Wall
GPG key ID: 337995638A2A524F
Verified
Learn about vigilant mode.
e0ef295
This commit was signed with the committer’s verified signature.
kwwall Kevin W. Wall
GPG key ID: 337995638A2A524F
Verified
Learn about vigilant mode.

Full Release Notes

Release notes for ESAPI release 2.6.1.0 are located at:

What's Changed

  • Updated AntiSamy from release 1.7.7 to 1.7.8 which addresses the potentially exploitable vulnerability GHSA-73m2-qfq3-56cx. There is slim possibility that this could affect ESAPI users who have allowed certain CSS mark-up constructs to the AntiSamy policy file that they are using. However the default ESAPI AntiSamy policy file (antisamy-esapi.xml) does not permit CSS mark-up of any sort out unless it has been modified by the ESAPI client.
  • Other minor updates to pom.xml

Full Changelog: esapi-2.6.0.0...esapi-2.6.1.0

Other Notes

You may see GHAS Dependabot references to https://github.com/ESAPI/esapi-java-legacy/security/dependabot/17 for this (and previous releases). For a more thorough discussion of this, please see Discussion #877.

Configuration Jar

Note the associated file "esapi-2.6.1.0-configuration.jar" contains the default ESAPI configuration
files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file
"esapi-2.6.1.0-configuration.jar.asc" is a GPG signature of that jar file made by Kevin W. Wall.

Assets 4
Loading
1 Join discussion