Next ESAPI release to remove Validator.isValidSafeHTML and property name fields in DefaultSecurityConfiguration

[Kevin W. Wall]

As noted in the GHAS Security Advisory, https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm

we will be deleting the interface method Validator.isValidSafeHTML and its implementation in DefaultValidator.isValidSafeHTML.

We will be doing this on or shortly after November 24, 2024, which will mark the one year anniversary of publishing that GHAS Security Advisory.

The ESAPI release will tentatively be 2.6.0.0. If you are still using that isValidSafeHTML method you are strongly advised to read

https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm

as well as ESAPI Security Bulletin #12, which provides some suggested workarounds as well as providing the low level details for the reasons for doing this.

In addition to the removal of that method, we will also be removing all of the 'public static final String' fields defining ESAPI property names that are now in org.owasp.esapi.PropNames. For further details, see the "DEPRECATION WARNING" in https://javadoc.io/static/org.owasp.esapi/esapi/2.5.4.0/org/owasp/esapi/reference/DefaultSecurityConfiguration.html.

-kevin

P.S.- I'm referring to the 2.5.4.0 version of Javadoc here because javadoc.io has not yet picked up the 2.5.5.0 version. (The only changes were relatively minor typo corrections.)

--

Blog: https://off-the-wall-security.blogspot.com/    | GitHub: @kwwall | OWASP ESAPI Project co-lead | OWASP and ACM lifetime member

NSA: All your crypto bit are belong to us.