Skip to content

2.5.3.1

Latest
Latest
Compare
Choose a tag to compare
@kwwall kwwall released this 01 Dec 05:08
· 4 commits to develop since this release
esapi-2.5.3.1
This tag was signed with the committer’s verified signature.
kwwall Kevin W. Wall
GPG key ID: 337995638A2A524F
Learn about vigilant mode.
7823a87
This commit was signed with the committer’s verified signature.
kwwall Kevin W. Wall
GPG key ID: 337995638A2A524F
Learn about vigilant mode.

Major changes

ESAPI 2.5.3.1 is a minor point release that adds:

  • Updated Javadoc for the Validator.isValidSafeHTML and ValidationRule.getValid methods.
  • Adds an always-on log message (a single time only) if either of the isValidSafeHTML methods is invoked. The warning notes that the method is deprecated and provides a link to the GitHub Security Advisory.

Release Notes

The release notes for ESAPI release 2.5.3.1 are located at:

https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.5.3.1-release-notes.txt

Configuration files located in configuration jar

Note that the attached file "esapi-2.5.3.1-configuration.jar" contains the default ESAPI configuration files intended for used in production. Download the file and unjar it via 'jar xf'. After you unjar that configuration jar, look under the 'configuration/' directory. Most of the files you are interested in are located under 'configuration/esapi', such as ESAPI.properties, validation.properties, etc. The attached file "esapi-2.5.3.1-configuration.jar.asc" is a detached GPG signature of that the file "esapi-2.5.3.1-configuration.jar" that was signed by ESAPI project co-lead, Kevin W. Wall.

References

  • GHSA-r68h-jhhj-9jvm was created and some partial, incomplete workarounds are discussed, but there is not patch available without major breakage of some client code. See Security Bulletin 12 for additional details.
Assets 4
0 Join discussion