All-in-one version with shaded guava
cnsgithub opened this issue ยท 7 comments
Hi,
I'd like to use owasp-java-html-sanitizer in PrimeFaces (a popular JSF component suite). However, because of very restrictive policies regarding the use of third-party policies my PR cannot be merged.
The problem is the dependency to guava, which is a really big one that is also widely used and therefore version conflicts are conceivable.
So I come to the question if it would be possible for you to provide an additional all-in-one version of owasp-java-html-sanitizer having the guava dependency shaded?
Please see primefaces/primefaces#3214 for the reasons why my PR was reverted.
Thanks.
Just for the sake of documenting collisions, OWASP using guava 19.0 makes it incompatible with graphql-java-tools 5.2.4, and graphql-java-servlet 6.2.0.
@mikesamuel
is there a possibilty to move away from guava?
other owasp libs (like esapi or encoder) doesn't use guava AFAICS
we could even do the change probably and provide a PR for it.
Most imports seem to be optional after using Java 8+ and reimplement some functionality
After having this open for almost five years now and a having pull request #272 open for resolving it, could you please reconsider removing this dependency?
still interested in this issue: Primefaces is using this sanitizer and as a result it gets Guava on board. Any way that Guava can be ditched? Thank you!