ESAPI 2.5.3.1 is a minor point release based on the recent 2.5.3.0 release that adds:
Validator.isValidSafeHTML
and ValidationRule.getValid
methods.isValidSafeHTML
methods is invoked. The warning notes that the method is deprecated and
provides a link to the GitHub Security Advisory. The warning message
itself looks something like this:[2023-11-30 23:51:13] [DefaultLogger] [SECURITY AUDIT Anonymous:@unknown -> /ExampleApplication/DefaultLogger] WARNING: You are using the Validator.isValidSafeHTML interface, which has been deprecated and should be avoided. See GitHub Security Advisory https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm for details.
The rationale for this point release was
to add the logging so that if ESAPI logs are sent to your SIEM, it
provides a message to set up an alert / trigger for. Also, we added
clarifying Javadoc for the 2 Validator.isValidSafeHTM
L methods and corrected the ESAPI property name actually used by ValidationRule.getValid
.
You may find this release at https://github.com/ESAPI/esapi-java-legacy/releases/tag/esapi-2.5.3.1