XSS vulnerability not caught by SafeHtml

Description

Through a security review we have discovered a problem related to Jsoup used by the SafeHtml validator. A fix has been submitted to Jsoup and the fix has now been released with version 1.8.3.

Please see the Jsoup pull request for details: https://github.com/jhy/jsoup/pull/582

Environment

None

Status

Assignee

Unassigned

Reporter

Tommy Johansen

Labels

validation

Worked in

None

Feedback Requested

None

Feedback Requested By

None

backPortable

None

Community Help Wanted

None

Suitable for new contributors

Yes, likely

Requires Release Note

None

Pull Request

https://github.com/hibernate/hibernate-validator/pull/424

backportDecision

None

backportReEvaluate

None

Components

engine

Fix versions

5.2.2.Final

4.3.3.Final

Affects versions

5.2.1.Final

Priority

Minor