summary

XSS vulnerability not caught by SafeHtml

Description

Through a security review we have discovered a problem related to Jsoup used by the SafeHtml validator. A fix has been submitted to Jsoup and the fix has now been released with version 1.8.3.

Please see the Jsoup pull request for details: https://github.com/jhy/jsoup/pull/582

Environment

None

Status

Assignee

Unassigned

Reporter

Tommy Johansen

Labels

validation

Feedback Requested

None

Feedback Requested By

None

backPortable

None

Suitable for new contributors

Yes, likely

Pull Request

https://github.com/hibernate/hibernate-validator/pull/424

backportDecision

None

backportReEvaluate

None

Components

engine

Fix versions

4.3.3.Final

5.2.2.Final

Affects versions

5.2.1.Final

Priority

Minor

Configure