Bump com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer from 20220608.1 to 20260313.1

[kunalmemane]

Summary

• Bump com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer from 20220608.1 to 20260313.1 to fix CVE-2025-66021.
  Upstream PR - Fix #363: CVE-2025-66021 OWASP/java-html-sanitizer#364

• Add java10-shim and java8-shim to hpi.bundledArtifacts as newly required transitive dependencies.
  Upstream PR - Shim Java 10 collections APIs OWASP/java-html-sanitizer#328

Details

Upstream release - https://github.com/OWASP/java-html-sanitizer/releases/tag/release-20260313.1

Testing done

Submitter checklist

• Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or Jira
• Link to relevant pull requests, esp. upstream and downstream changes
• Ensure you have provided tests that demonstrate the feature works or the issue is fixed

[kunalmemane]

Hi @jglick, Could you please help to review this PR.
Thanks!

[jglick]

#121 (comment)

I am not a maintainer.

[kunalmemane]

@christ66 Hi, Kindly request a review on this PR which addresses CVE-2025-66021

[daniel-beck]

🤷 seems OK.

@jglick

I am not a maintainer.

In that case, please remove yourself from https://github.com/jenkins-infra/repository-permissions-updater/blob/2286e628d1aa161208d69a8940f33abeed0acbc9/permissions/plugin-antisamy-markup-formatter.yml#L9, because that's the SSOT for maintainer status.

[kunalmemane]

@daniel-beck If everything seems ok, Can we get it merged?

[daniel-beck]

@kunalmemane I don't see why not, but note that I am not a maintainer. Maintainers are the ones whose Jenkins community user names are listed in the linked YAML file (which may or may not be the same as their GitHub user).

[kunalmemane]

Thank you @daniel-beck, Will reach out to respective maintainers.

[kunalmemane]

Hi @batmat, Kindly request a review on this PR. TY!

[strangelookingnerd]

Included in this release is also OWASP/java-html-sanitizer#336 which makes my workaround in #134 -> https://github.com/jenkinsci/antisamy-markup-formatter-plugin/pull/134/changes#diff-cacea0dcf3843d82bd010c245ddb10eb502059816818016b456103db0bb06300R120-R127 obsolete.

[daniel-beck]

Included in this release is also OWASP/java-html-sanitizer#336 which makes my workaround in #134 -> https://github.com/jenkinsci/antisamy-markup-formatter-plugin/pull/134/changes#diff-cacea0dcf3843d82bd010c245ddb10eb502059816818016b456103db0bb06300R120-R127 obsolete.

Nice!

I would not consider that a release blocker though, that can be cleaned up at any time. Nvm, I thought that got integrated, but apparently not. So yeah, JUnit 5 can be adopted later, without needing the workaround for value ordering.

[kunalmemane]

Hi @batmat, just checking back in on this. I've addressed all required changes and PR is ready for review.