Guava dependency changed in Release 20190325.1 of OWASP/java-html-sanitizer

[Mike Samuel]

I released version 20190325.1 of github.com/OWASP/java-html-sanitizer which changes the way the Guava dependency work.

As discusses at issue 162 this could pin a client into using an older version of Guava which might cause client or other dependencies to use APIs with known problems.

Now, the dependency is on guava:27.1-jre.  If you require a different version then you can use various Maven methods to force a particular version, or tell mvn to use the guava.version property with the version you desire, e.g. via -Dguava.version=21.1 or specifying <guava.version>21.1</guava.version> in your project's <properties> element.

If you use an older JDK, see https://github.com/google/guava/wiki/Release21#java-8

Important: Guava 21.0 requires Java 8. If you need Java 7 or Android compatibility, use Guava 20.0 for now. Guava 22.0 and on will introduce a Java 7/Android compatible backport of Guava that includes all of the latest changes that don't require Java 8. (As for Java 6, we don't plan to support it past 20.0.)

Questions: https://groups.google.com/forum/#!forum/owasp-java-html-sanitizer-support

Other notes from the change log for this new version:

Release 20190325.1

• Properly parse srcset attribute values to apply URL policy to each URL in turn.
• Update dependency on guava version to 27.1-jre to avoid causing clients problems with CVE-2018-10237. Specify Maven property guava.version to override.
• Compatible with JDK 11.