OWASP/java-html-sanitizer

All-in-one version with shaded guava

cnsgithub opened this issue ยท 7 comments

Hi,

I'd like to use owasp-java-html-sanitizer in PrimeFaces (a popular JSF component suite). However, because of very restrictive policies regarding the use of third-party policies my PR cannot be merged.

The problem is the dependency to guava, which is a really big one that is also widely used and therefore version conflicts are conceivable.

So I come to the question if it would be possible for you to provide an additional all-in-one version of owasp-java-html-sanitizer having the guava dependency shaded?

Please see primefaces/primefaces#3214 for the reasons why my PR was reverted.

Thanks.

Just for the sake of documenting collisions, OWASP using guava 19.0 makes it incompatible with graphql-java-tools 5.2.4, and graphql-java-servlet 6.2.0.

@mikesamuel
is there a possibilty to move away from guava?
other owasp libs (like esapi or encoder) doesn't use guava AFAICS

we could even do the change probably and provide a PR for it.

Most imports seem to be optional after using Java 8+ and reimplement some functionality

stolp commented

After having this open for almost five years now and a having pull request #272 open for resolving it, could you please reconsider removing this dependency?

still interested in this issue: Primefaces is using this sanitizer and as a result it gets Guava on board. Any way that Guava can be ditched? Thank you!