Update dependencies

pom.xml

@@ -52,7 +52,7 @@
         <spring.version>5.3.30</spring.version>
         <spring-security.version>5.7.11</spring-security.version>
         <!--
-        session-bom 2021.2.0 uses 2.7.0 from session
+        session-bom 2021.2.3 uses 2.7.4 from session
         https://github.com/spring-projects/spring-session/blob/2.7.4/gradle/dependency-management.gradle
         which is aligned with core 5.3.30 and security 5.7.11 versions
         https://github.com/spring-projects/spring-session/releases/tag/2.7.4
@@ -65,31 +65,32 @@
         <javax.xml.version>1.0</javax.xml.version>
         <vecmath.version>1.5.2</vecmath.version>
 
-        <commons-lang3.version>3.13.0</commons-lang3.version>
-        <commons-text.version>1.10.0</commons-text.version>
+        <commons-lang3.version>3.14.0</commons-lang3.version>
+        <commons-text.version>1.11.0</commons-text.version>
         <!-- could be removed? -->
         <commons-collections.version>3.2.2</commons-collections.version>
-        <commons-codec.version>1.15</commons-codec.version>
+        <commons-codec.version>1.16.0</commons-codec.version>
         <commons-fileupload.version>1.5</commons-fileupload.version>
-        <commons-dbcp2.version>2.9.0</commons-dbcp2.version>
+        <commons-dbcp2.version>2.11.0</commons-dbcp2.version>
 
-        <jsoup.version>1.16.1</jsoup.version>
+        <jsoup.version>1.17.2</jsoup.version>
 
         <axiom.version>1.2.22</axiom.version>
         <stax-api.version>1.0-2</stax-api.version>
 
-        <jackson.version>2.15.2</jackson.version>
-        <jackson-databind.version>2.15.2</jackson-databind.version>
+        <jackson.version>2.16.1</jackson.version>
+        <jackson-databind.version>2.16.1</jackson-databind.version>
 
         <fi.mml.nameregister.version>1.0</fi.mml.nameregister.version>
 
         <jetty.version>9.4.51.v20230217</jetty.version>
-        <mybatis.version>3.5.13</mybatis.version>
-        <flyway.version>9.12.0</flyway.version>
+        <mybatis.version>3.5.15</mybatis.version>
+        <flyway.version>9.22.3</flyway.version>
         <postgresql.version>42.6.0</postgresql.version>
         <hikaricp.version>4.0.3</hikaricp.version>
 
-        <!-- https://github.com/spring-projects/spring-data-redis/blob/2.7.x/pom.xml#L28 -->
+        <!-- https://github.com/spring-projects/spring-data-redis/blob/2.7.x/pom.xml#L29
+         https://github.com/spring-projects/spring-data-redis/blob/2.7.4/pom.xml#L28-->
         <jedis.version>3.8.0</jedis.version>
         <quartz-scheduler.version>2.3.2</quartz-scheduler.version>
 
@@ -99,7 +100,7 @@
         <mvt.version>1.3.23</mvt.version>
         <flexjson.version>2.0</flexjson.version>
 
-        <pdfbox.version>2.0.24</pdfbox.version>
+        <pdfbox.version>2.0.30</pdfbox.version>
         <hystrix.version>1.5.18</hystrix.version>
         <!-- Test deps versions -->
         <powermock.version>2.0.9</powermock.version>
@@ -820,7 +821,7 @@
             <dependency>
                 <groupId>org.apache.xmlgraphics</groupId>
                 <artifactId>fop</artifactId>
-                <version>2.3</version>
+                <version>2.9</version>
             </dependency>
             <dependency>
                 <groupId>com.netflix.hystrix</groupId>

service-base/src/main/java/org/jsoup/safety/CustomSafelist.java

@@ -1,8 +1,6 @@
 package org.jsoup.safety;
 
 import fi.nls.oskari.util.PropertyUtil;
-import org.jsoup.nodes.Attribute;
-import org.jsoup.nodes.Element;
 
 import java.util.List;
 
@@ -15,37 +13,11 @@ public CustomSafelist() {
     }
 
     public CustomSafelist(String functionality) {
-        super();
-        copiedFromRelaxed();
+        super(Safelist.relaxed());
         // setup config
         init(functionality);
     }
 
-    /**
-     * These are copied from Whitelist.relaxed().
-     */
-    private void copiedFromRelaxed() {
-        addTags("a", "b", "blockquote", "br", "caption", "cite", "code", "col", "colgroup", "dd", "div", "dl", "dt",
-                "em", "h1", "h2", "h3", "h4", "h5", "h6", "i", "img", "li", "ol", "p", "pre", "q", "small", "span",
-                "strike", "strong", "sub", "sup", "table", "tbody", "td", "tfoot", "th", "thead", "tr", "u", "ul");
-        addAttributes("a", "href", "title");
-        addAttributes("blockquote", "cite");
-        addAttributes("col", "span", "width");
-        addAttributes("colgroup", "span", "width");
-        addAttributes("img", "align", "alt", "height", "src", "title", "width");
-        addAttributes("ol", "start", "type");
-        addAttributes("q", "cite");
-        addAttributes("table", "summary", "width");
-        addAttributes("td", "abbr", "axis", "colspan", "rowspan", "width");
-        addAttributes("th", "abbr", "axis", "colspan", "rowspan", "scope", "width");
-        addAttributes("ul", "type");
-        addProtocols("a", "href", "ftp", "http", "https", "mailto");
-        addProtocols("blockquote", "cite", "http", "https");
-        addProtocols("cite", "cite", "http", "https");
-        addProtocols("img", "src", "http", "https");
-        addProtocols("q", "cite", "http", "https");
-    }
-
     /**
      * Initializes custom configuration based on properties (added to relaxed settings):
      * # allowed tags
@@ -96,24 +68,12 @@ protected void init(String functionality) {
         allowDataUrlsForImages(PropertyUtil.getOptional(prefix + "html.whitelist.attr.img.dataurl", false));
     }
 
-    private void allowDataUrlsForImages(boolean enabled) {
+    protected void allowDataUrlsForImages(boolean enabled) {
         allowDataUrlsForImages = enabled;
-        // required for data-urls to function properly
-        preserveRelativeLinks(allowDataUrlsForImages);
-    }
-
-    /**
-     * The real reason for this class... allow data urls in images
-     * @param tagName
-     * @param el
-     * @param attr
-     * @return
-     */
-    @Override
-    protected boolean isSafeAttribute(String tagName, Element el, Attribute attr) {
-        return (allowDataUrlsForImages && "img".equals(tagName)
-                    && "src".equals(attr.getKey())
-                    && attr.getValue().startsWith("data:")) ||
-                super.isSafeAttribute(tagName, el, attr);
+        if (enabled) {
+            addProtocols("img", "src", "data");
+            // required for data-urls to function properly
+            preserveRelativeLinks(allowDataUrlsForImages);
+        }
     }
 }

service-base/src/test/java/org/jsoup/safety/CustomSafelistTest.java

@@ -0,0 +1,27 @@
+package org.jsoup.safety;
+
+import org.jsoup.Jsoup;
+import org.junit.Test;
+
+import static org.junit.Assert.*;
+
+public class CustomSafelistTest {
+
+    private static final String IMG_WITH_DATA_URL = "<img src=\"data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAAUA\n" +
+            "    AAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO\n" +
+            "        9TXL0Y4OHwAAAABJRU5ErkJggg==\" alt=\"Red dot\">";
+    @Test
+    public void isSafeAttributeDataURLDisabled() {
+        CustomSafelist list = new CustomSafelist();
+        String result = Jsoup.clean(IMG_WITH_DATA_URL, list);
+        assertEquals("<img alt=\"Red dot\">", result);
+    }
+
+    @Test
+    public void isSafeAttributeDataURLEnabled() {
+        CustomSafelist list = new CustomSafelist();
+        list.allowDataUrlsForImages(true);
+        String result = Jsoup.clean(IMG_WITH_DATA_URL, list);
+        assertEquals(IMG_WITH_DATA_URL, result);
+    }
+}