2.5.3.0
Major changes
- The two
Validator.isValidSafeHTM
L methods were deprecated. More details on this in GitHub Security Advisory GHSA-r68h-jhhj-9jvm. - There is now a version of the ESAPI jar that should support the Jakarta Servlet API. See the release notes and the ESAPI GitHub wiki page Using ESAPI with Jakarta EE Servlet API Specification 5.0 and later for details.
- Updated to AntiSamy 1.7.4 which addresses CVE-2023-43643 , which really was not exploitable via ESAPI anyway. More details are in the release notes.
Release Notes
The release notes for ESAPI release 2.5.3.0 are located at:
Configuration files located in configuration jar
Note that the attached file "esapi-2.5.3.0-configuration.jar" contains the default ESAPI configuration files intended for used in production. Download the file and unjar it via 'jar xf'. After you unjar that configuration jar, look under the 'configuration/' directory. Most of the files you are interested in are located under 'configuration/esapi', such as ESAPI.properties, validation.properties, etc. The attached file "esapi-2.5.3.0-configuration.jar.asc" is a detached GPG signature of that the file "esapi-2.5.3.0-configuration.jar" that was signed by ESAPI project co-lead, Kevin W. Wall.
References
- GHSA-r68h-jhhj-9jvm was created and some partial, incomplete workarounds are discussed, but there is not patch available without major breakage of some client code. See Security Bulletin 12 for additional details.
- CVE-2023-43643 was addressed by the AntiSamy 1.7.4 upgrade. Even without this AntiSamy patch, ESAPI was not impacted.
The release notes contain a more complete list of what has changed / fixed in ESAPI 2.5.3.0.