Merge pull request #1880 from BorderTech/feature/merge-latest-georgie

Merge latest georgie version

Author: jonathanaustin

.github/workflows/github-actions-build.yml

@@ -48,7 +48,7 @@ jobs:
           echo "Sonar secure variables NOT available"
         else
           echo "Sonar secure variables ARE available"
-          mvn -B sonar:sonar -Dsonar.projectKey="bordertech-wcomponents" -Dsonar.organization="bordertech-github" -Dsonar.host.url="https://sonarcloud.io"
+          mvn -B org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey="bordertech-wcomponents" -Dsonar.organization="bordertech-github" -Dsonar.host.url="https://sonarcloud.io" -Dsonar.qualitygate.wait=true
         fi
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

CHANGELOG.md

@@ -30,6 +30,51 @@ Client Side API:
 ### Bug Fixes
 * SelectToggle label attribute fix, `wc-data-for` > `data-wc-for`.
 
+## 1.5.39
+
+### API Changes
+* Updated AbstractRequest to remove deprecated methods uploadFileItems and readBytes (were protected static). Use StreamUtils instead.
+### Enhancements
+* Consistent use of try-with-resources when handling streams
+* Replaced org.apache.tika:tika library with org.overviewproject:mime-types in FileUtil to validate uploaded file mime types.
+* Updated the following dependencies:
+  * wcomponents-core:
+    * com.google.code.gson:gson from 2.13.1 to 2.13.2
+    * org.apache.commons:commons-lang3 from 3.18.0 to 3.20.0
+    * commons-io:commons-io from 2.19.0 to 2.21.0
+    * com.google.errorprone:error_prone_annotations from 2.39.0 to 2.46.0
+    * org.apache.httpcomponents.client5:httpclient5 from 5.5 to 5.6
+    * org.apache.httpcomponents.core5:httpcore5 from 5.3.4 to 5.4
+  * wcomponents-test-lib:
+    * io.github.bonigarcia:webdrivermanager from 6.1.0 to 6.3.3
+    * org.apache.commons:commons-compress from 1.27.1 to 1.28.0
+    * commons-codec:commons-codec from 1.18.0 to 1.20.0
+    * com.google.guava:guava from 33.4.8-jre to 33.5.0-jre
+    * net.java.dev.jna:jna from 5.17.0 to 5.18.1
+  * wcomponents-bundle:
+    * org.ehcache:ehcahce from 3.10.8 to 3.11.1
+    * org.glassfish.jaxb:jaxb-runtime from 4.0.5 to 4.0.6
+### Bug Fixes
+* Updated FileUtil to make file extension and mime type validation case insensitive.
+
+## 1.5.38
+
+### Enhancements
+* To improve the robustness of the session token parameter (wc_t), which is used to prevent CSRF attacks, the following changes have been made:
+  * The session token is no longer included on any GET URLs and only posted in the body for POSTS.
+  * Modified the session token interceptors to only accept a session token on a POST and throw an exception if provided on a GET.
+  * Modified Targetable components to use the new createTargetUrl method in WebUtilites that centralises the logic for
+    creating the URLs for Targetable components and excludes the session token.
+  * Moved the adding of the hidden parameters onto the AJAX url from the XSL into the WApplicationRenderer so the session
+    token can be excluded.
+* Updated beanutils version and package names as beanutils had a transient dependency on commons-collections that has security vulnerabilies.
+  * commons-beanutils:commons-beanutils:1.11.0 to org.apache.commons:commons-beanutils2:2.0.0-M2
+* Updated antisamy to latest version 1.7.8 as it has reinstated the xHTML behaviour for tags. Versions 1.7.0 to 1.7.6 did not support xHTML and would break the XML.
+  * org.owasp.antisamy:antismay from 1.6.8 to 1.7.8
+* Updated FileUtil to include MetaData hints when calling tika to help tika identify a files content type.
+
+NOTE - The session token changes are not backwards compatable with older themes.
+
 ## 1.5.37
 
 ### Enhancements

code-coverage/pom.xml

@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<parent>
+		<groupId>com.github.bordertech.wcomponents</groupId>
+		<artifactId>wcomponents-parent</artifactId>
+		<version>1.5.40-SNAPSHOT</version>
+		<relativePath>../pom.xml</relativePath>
+	</parent>
+
+	<name>code-coverage</name>
+	<artifactId>code-coverage</artifactId>
+
+	<packaging>jar</packaging>
+
+	<dependencies>
+		<dependency>
+			<groupId>com.github.bordertech.wcomponents</groupId>
+			<artifactId>wcomponents-core</artifactId>
+			<version>${project.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>com.github.bordertech.wcomponents</groupId>
+			<artifactId>wcomponents-examples</artifactId>
+			<version>${project.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>com.github.bordertech.wcomponents</groupId>
+			<artifactId>wcomponents-test-lib</artifactId>
+			<version>${project.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>com.github.bordertech.wcomponents</groupId>
+			<artifactId>wcomponents-lde</artifactId>
+			<version>${project.version}</version>
+		</dependency>
+	</dependencies>
+
+	<build>
+
+		<plugins>
+			<!-- Generate aggreated coverage report -->
+			<plugin>
+				<groupId>org.jacoco</groupId>
+				<artifactId>jacoco-maven-plugin</artifactId>
+				<executions>
+					<execution>
+						<id>report-aggregate</id>
+						<phase>test</phase>
+						<goals>
+							<goal>report-aggregate</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
+			<!-- This coverage module should never de deployed -->
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-deploy-plugin</artifactId>
+				<version>3.1.4</version>
+				<configuration>
+					<skip>true</skip>
+				</configuration>
+			</plugin>
+		</plugins>
+
+	</build>
+
+</project>

pom.xml

@@ -13,7 +13,7 @@
 
 	<groupId>com.github.bordertech.wcomponents</groupId>
 	<artifactId>wcomponents-parent</artifactId>
-	<version>1.5.38-SNAPSHOT</version>
+	<version>1.5.40-SNAPSHOT</version>
 
 	<packaging>pom</packaging>
 
@@ -85,7 +85,7 @@
 			<dependency>
 				<groupId>org.ehcache</groupId>
 				<artifactId>ehcache</artifactId>
-				<version>3.10.8</version>
+				<version>3.11.1</version>
 				<exclusions>
 					<!-- Exclude jaxb runtime as ehcache has a wildcard dependency that breaks the build -->
 					<exclusion>
@@ -107,7 +107,7 @@
 			<dependency>
 				<groupId>org.glassfish.jaxb</groupId>
 				<artifactId>jaxb-runtime</artifactId>
-				<version>4.0.5</version>
+				<version>4.0.6</version>
 			</dependency>
 
 			<!-- Servlet Interface -->
@@ -217,6 +217,7 @@
 		<module>wcomponents-theme</module>
 		<module>wcomponents-xslt</module>
 		<module>wcomponents-bundle</module>
+		<module>code-coverage</module>
 	</modules>
 
 </project>

wcomponents-bundle/pom.xml

@@ -8,7 +8,7 @@
 	<parent>
 		<groupId>com.github.bordertech.wcomponents</groupId>
 		<artifactId>wcomponents-parent</artifactId>
-		<version>1.5.38-SNAPSHOT</version>
+		<version>1.5.40-SNAPSHOT</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 

wcomponents-core/pom.xml

@@ -8,7 +8,7 @@
 	<parent>
 		<groupId>com.github.bordertech.wcomponents</groupId>
 		<artifactId>wcomponents-parent</artifactId>
-		<version>1.5.38-SNAPSHOT</version>
+		<version>1.5.40-SNAPSHOT</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 
@@ -101,15 +101,19 @@
 		</dependency>
 
 		<dependency>
-			<groupId>commons-beanutils</groupId>
-			<artifactId>commons-beanutils</artifactId>
-			<version>1.11.0</version>
+			<groupId>org.apache.commons</groupId>
+			<artifactId>commons-beanutils2</artifactId>
+			<version>2.0.0-M2</version>
 			<!-- Fix convergence -->
 			<exclusions>
 				<exclusion>
 					<groupId>commons-logging</groupId>
 					<artifactId>commons-logging</artifactId>
 				</exclusion>
+				<exclusion>
+					<groupId>org.apache.commons</groupId>
+					<artifactId>commons-lang3</artifactId>
+				</exclusion>
 			</exclusions>
 		</dependency>
 
@@ -186,7 +190,7 @@
 		<dependency>
 			<groupId>com.google.code.gson</groupId>
 			<artifactId>gson</artifactId>
-			<version>2.13.1</version>
+			<version>2.13.2</version>
 			<exclusions>
 				<exclusion>
 					<groupId>com.google.errorprone</groupId>
@@ -196,51 +200,36 @@
 		</dependency>
 
 		<!-- Required for HTML input sanitization of WTextArea -->
-		<!-- Antisamy as of 1.7.X does not support xhtml and will remove the closing tag on "void" elements which will break the XML-->
-		<!-- Once WComponents stops using xslt then the latest Antisamy can be used -->
+		<!-- Note - Antisamy versions 1.7.0 to 1.7.6 does not support xhtml and will remove the closing tag on "void" elements which will break the XML-->
 		<!-- https://html.spec.whatwg.org/multipage/syntax.html#void-elements -->
 		<dependency>
 			<groupId>org.owasp.antisamy</groupId>
 			<artifactId>antisamy</artifactId>
-			<version>1.6.8</version>
+			<version>1.7.8</version>
 			<!-- Fix convergence -->
 			<exclusions>
-				<exclusion>
-					<groupId>org.slf4j</groupId>
-					<artifactId>slf4j-api</artifactId>
-				</exclusion>
 				<exclusion>
 					<groupId>org.apache.xmlgraphics</groupId>
 					<artifactId>batik-css</artifactId>
 				</exclusion>
-				<exclusion>
-					<groupId>commons-io</groupId>
-					<artifactId>commons-io</artifactId>
-				</exclusion>
 				<exclusion>
 					<groupId>org.apache.httpcomponents.client5</groupId>
 					<artifactId>httpclient5</artifactId>
 				</exclusion>
 				<exclusion>
-					<groupId>org.apache.httpcomponents.core5</groupId>
-					<artifactId>httpcore5</artifactId>
+					<groupId>xerces</groupId>
+					<artifactId>xercesImpl</artifactId>
 				</exclusion>
 				<exclusion>
-					<groupId>net.sourceforge.htmlunit</groupId>
-					<artifactId>neko-htmlunit</artifactId>
+					<groupId>commons-io</groupId>
+					<artifactId>commons-io</artifactId>
 				</exclusion>
 				<exclusion>
-					<groupId>xerces</groupId>
-					<artifactId>xercesImpl</artifactId>
+					<groupId>org.apache.httpcomponents.core5</groupId>
+					<artifactId>httpcore5</artifactId>
 				</exclusion>
 			</exclusions>
 		</dependency>
-		<!-- Neko-htmlunit had a package rename as of 3.X.X and cannot be picked up until latest Antisamy can be used -->
-		<dependency>
-			<groupId>net.sourceforge.htmlunit</groupId>
-			<artifactId>neko-htmlunit</artifactId>
-			<version>2.70.0</version>
-		</dependency>
 		<dependency>
 			<groupId>org.apache.xmlgraphics</groupId>
 			<artifactId>batik-css</artifactId>
@@ -280,20 +269,9 @@
 		</dependency>
 
 		<dependency>
-			<groupId>org.apache.tika</groupId>
-			<artifactId>tika-core</artifactId>
-			<version>2.9.4</version>
-			<!-- Fix convergence -->
-			<exclusions>
-				<exclusion>
-					<groupId>org.slf4j</groupId>
-					<artifactId>slf4j-api</artifactId>
-				</exclusion>
-				<exclusion>
-					<groupId>commons-io</groupId>
-					<artifactId>commons-io</artifactId>
-				</exclusion>
-			</exclusions>
+			<groupId>org.overviewproject</groupId>
+			<artifactId>mime-types</artifactId>
+			<version>2.0.0</version>
 		</dependency>
 
 		<!-- Force versions to fix convergence -->
@@ -310,22 +288,22 @@
 		<dependency>
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-lang3</artifactId>
-			<version>3.18.0</version>
+			<version>3.20.0</version>
 		</dependency>
 		<dependency>
 			<groupId>commons-io</groupId>
 			<artifactId>commons-io</artifactId>
-			<version>2.19.0</version>
+			<version>2.21.0</version>
 		</dependency>
 		<dependency>
 			<groupId>com.google.errorprone</groupId>
 			<artifactId>error_prone_annotations</artifactId>
-			<version>2.39.0</version>
+			<version>2.46.0</version>
 		</dependency>
 		<dependency>
 			<groupId>org.apache.httpcomponents.client5</groupId>
 			<artifactId>httpclient5</artifactId>
-			<version>5.5</version>
+			<version>5.6</version>
 			<exclusions>
 				<exclusion>
 					<groupId>org.slf4j</groupId>
@@ -336,7 +314,7 @@
 		<dependency>
 			<groupId>org.apache.httpcomponents.core5</groupId>
 			<artifactId>httpcore5</artifactId>
-			<version>5.3.4</version>
+			<version>5.4</version>
 		</dependency>
 
 		<!-- Test dependencies -->

wcomponents-core/src/main/java/com/github/bordertech/wcomponents/AbstractBeanBoundTableModel.java

@@ -1,7 +1,7 @@
 package com.github.bordertech.wcomponents;
 
 import com.github.bordertech.wcomponents.WTable.BeanBoundTableModel;
-import org.apache.commons.beanutils.PropertyUtils;
+import org.apache.commons.beanutils2.PropertyUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 

wcomponents-core/src/main/java/com/github/bordertech/wcomponents/AbstractBeanTableDataModel.java

@@ -1,6 +1,6 @@
 package com.github.bordertech.wcomponents;
 
-import org.apache.commons.beanutils.PropertyUtils;
+import org.apache.commons.beanutils2.PropertyUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;