[Snyk] Security upgrade org.owasp.antisamy:antisamy from 1.7.7 to 1.7.8

[kwwall]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Improper Certificate Validation SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCLIENT5-9804209	726	org.owasp.antisamy:antisamy: 1.7.7 -> 1.7.8 No Known Exploit

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[kwwall]

Note: I have previously researched this vulnerability that Snyk references in this PR. It corresponds to CVE-2025-27820 and is associated with improper certificate validation. AntiSamy only uses it in its CssScanner class and and ESAPI only potentially would use it as a transitive dependency via AntiSamy.

I do not believe that ESAPI's default AntiSamy policy file, antisamy-esapi.xml exposes ESAPI to this vulnerability because that policy file does not permit an CSS markup at all. However, since not everyone may be using the default policy file, there is a potential it could affect ESAPI if CSS markup is permitted in a customized ESAPI AntiSamy policy file. In that case, one could potentially encounter an https URL using something like a CSS at-rule using something like (say) @import. For example,something like:

@import url("https://example.com/some-external-css-resource.css");

Of course, if you are blindly accepting arbitrary external URLs to import CSS, you probably have bigger problems. And if you are doing that, there's probably little reason that an attacker needs you to accept an improper TLS server-side certificate. So, this potential attack vector is probably only realistic if you are doing some sort of restricts on a small list of trusted URLs using an allow-list approach. And if you are doing that the CVSSv3 base score of 7.5 is probably going to be much higher than your CVSSv3 environmental score which is more likely to reflect your actual risk. So, there's not much to panic about unless you are using ESAPI (or even AntiSamy directly) in some relatively questionable manner.

That said, since @davewichers and @spassarop were kind enough to get out a quick fix when I asked, as soon as I can approve this PR (which it seemingly is not allowing me to 'approve') I will try to do a new release to include the updated version of AntiSamy.

[kwwall]

LGTM. I approve, or would if GitHub would allow me to select 'Approve'. Maybe either @xeno6696 or @jeremiahjstacey can approve this PR?

[jeremiahjstacey]

looks good here too.