Updated beanutils and antisamy versions

CHANGELOG.md

@@ -12,6 +12,11 @@
     creating the URLs for Targetable components and excludes the session token.
   * Moved the adding of the hidden parameters onto the AJAX url from the XSL into the WApplicationRenderer so the session
     token can be excluded.
+* Updated beanutils version and package names as beanutils had a transient dependency on commons-collections that has security vulnerabilies.
+  * commons-beanutils:commons-beanutils:1.11.0 to org.apache.commons:commons-beanutils2:2.0.0-M2
+* Updated antisamy to latest version 1.7.8 as it has reinstated the xHTML behaviour for tags. Versions 1.7.0 to 1.7.6 did not support xHTML and would break the XML.
+  * org.owasp.antisamy:antismay from 1.6.8 to 1.7.8
+* Updated FileUtil to include MetaData hints when calling tika to help tika identify a files content type.
 
 ### Bug Fixes
 

wcomponents-core/pom.xml

@@ -129,15 +129,19 @@
 		</dependency>
 
 		<dependency>
-			<groupId>commons-beanutils</groupId>
-			<artifactId>commons-beanutils</artifactId>
-			<version>1.11.0</version>
+			<groupId>org.apache.commons</groupId>
+			<artifactId>commons-beanutils2</artifactId>
+			<version>2.0.0-M2</version>
 			<!-- Fix convergence -->
 			<exclusions>
 				<exclusion>
 					<groupId>commons-logging</groupId>
 					<artifactId>commons-logging</artifactId>
 				</exclusion>
+				<exclusion>
+					<groupId>org.apache.commons</groupId>
+					<artifactId>commons-lang3</artifactId>
+				</exclusion>
 			</exclusions>
 		</dependency>
 
@@ -224,51 +228,28 @@
 		</dependency>
 
 		<!-- Required for HTML input sanitization of WTextArea -->
-		<!-- Antisamy as of 1.7.X does not support xhtml and will remove the closing tag on "void" elements which will break the XML-->
-		<!-- Once WComponents stops using xslt then the latest Antisamy can be used -->
+		<!-- Note - Antisamy versions 1.7.0 to 1.7.6 does not support xhtml and will remove the closing tag on "void" elements which will break the XML-->
 		<!-- https://html.spec.whatwg.org/multipage/syntax.html#void-elements -->
 		<dependency>
 			<groupId>org.owasp.antisamy</groupId>
 			<artifactId>antisamy</artifactId>
-			<version>1.6.8</version>
+			<version>1.7.8</version>
 			<!-- Fix convergence -->
 			<exclusions>
-				<exclusion>
-					<groupId>org.slf4j</groupId>
-					<artifactId>slf4j-api</artifactId>
-				</exclusion>
 				<exclusion>
 					<groupId>org.apache.xmlgraphics</groupId>
 					<artifactId>batik-css</artifactId>
 				</exclusion>
-				<exclusion>
-					<groupId>commons-io</groupId>
-					<artifactId>commons-io</artifactId>
-				</exclusion>
 				<exclusion>
 					<groupId>org.apache.httpcomponents.client5</groupId>
 					<artifactId>httpclient5</artifactId>
 				</exclusion>
-				<exclusion>
-					<groupId>org.apache.httpcomponents.core5</groupId>
-					<artifactId>httpcore5</artifactId>
-				</exclusion>
-				<exclusion>
-					<groupId>net.sourceforge.htmlunit</groupId>
-					<artifactId>neko-htmlunit</artifactId>
-				</exclusion>
 				<exclusion>
 					<groupId>xerces</groupId>
 					<artifactId>xercesImpl</artifactId>
 				</exclusion>
 			</exclusions>
 		</dependency>
-		<!-- Neko-htmlunit had a package rename as of 3.X.X and cannot be picked up until latest Antisamy can be used -->
-		<dependency>
-			<groupId>net.sourceforge.htmlunit</groupId>
-			<artifactId>neko-htmlunit</artifactId>
-			<version>2.70.0</version>
-		</dependency>
 		<dependency>
 			<groupId>org.apache.xmlgraphics</groupId>
 			<artifactId>batik-css</artifactId>

wcomponents-core/src/main/java/com/github/bordertech/wcomponents/AbstractBeanBoundTableModel.java

@@ -1,7 +1,7 @@
 package com.github.bordertech.wcomponents;
 
 import com.github.bordertech.wcomponents.WTable.BeanBoundTableModel;
-import org.apache.commons.beanutils.PropertyUtils;
+import org.apache.commons.beanutils2.PropertyUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 

wcomponents-core/src/main/java/com/github/bordertech/wcomponents/AbstractBeanTableDataModel.java

@@ -1,6 +1,6 @@
 package com.github.bordertech.wcomponents;
 
-import org.apache.commons.beanutils.PropertyUtils;
+import org.apache.commons.beanutils2.PropertyUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 

wcomponents-core/src/main/java/com/github/bordertech/wcomponents/SimpleBeanBoundTableDataModel.java

@@ -5,7 +5,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import org.apache.commons.beanutils.PropertyUtils;
+import org.apache.commons.beanutils2.PropertyUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 

wcomponents-core/src/main/java/com/github/bordertech/wcomponents/SimpleBeanBoundTableModel.java

@@ -7,7 +7,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import org.apache.commons.beanutils.PropertyUtils;
+import org.apache.commons.beanutils2.PropertyUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 

wcomponents-core/src/main/java/com/github/bordertech/wcomponents/SimpleBeanListTableDataModel.java

@@ -6,7 +6,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import org.apache.commons.beanutils.PropertyUtils;
+import org.apache.commons.beanutils2.PropertyUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 

wcomponents-core/src/main/java/com/github/bordertech/wcomponents/SimpleBeanTreeTableDataModel.java

@@ -7,7 +7,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import org.apache.commons.beanutils.PropertyUtils;
+import org.apache.commons.beanutils2.PropertyUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 

wcomponents-core/src/main/java/com/github/bordertech/wcomponents/WBeanComponent.java

@@ -6,7 +6,7 @@
 import java.io.Serializable;
 import java.util.Map;
 import java.util.Objects;
-import org.apache.commons.beanutils.PropertyUtils;
+import org.apache.commons.beanutils2.PropertyUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 

wcomponents-core/src/main/java/com/github/bordertech/wcomponents/WRepeater.java

@@ -12,7 +12,7 @@
 import java.util.Set;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
-import org.apache.commons.beanutils.PropertyUtils;
+import org.apache.commons.beanutils2.PropertyUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 

wcomponents-core/src/main/java/com/github/bordertech/wcomponents/util/FileUtil.java

@@ -10,6 +10,8 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.tika.Tika;
+import org.apache.tika.metadata.Metadata;
+import org.apache.tika.metadata.TikaCoreProperties;
 
 /**
  * Utility methods for {@link File}.
@@ -98,7 +100,15 @@ public static String getFileMimeType(final File file) {
 		if (file != null) {
 			try {
 				final Tika tika = new Tika();
-				return tika.detect(file.getInputStream());
+				// Setup metatdata hints to help Tika detect the mime type
+				Metadata meta = new Metadata();
+				if (file.getName() != null) {
+					meta.set(TikaCoreProperties.RESOURCE_NAME_KEY, file.getName());
+				}
+				if (file.getMimeType() != null) {
+					meta.set(TikaCoreProperties.CONTENT_TYPE_HINT, file.getMimeType());
+				}
+				return tika.detect(file.getInputStream(), meta);
 			} catch (IOException ex) {
 				LOG.error("Invalid file, name " + file.getName(), ex);
 			}

wcomponents-core/src/test/java/com/github/bordertech/wcomponents/AbstractWComponentTestCase.java

@@ -12,7 +12,7 @@
 import java.util.Map;
 import java.util.function.BiConsumer;
 import java.util.function.Function;
-import org.apache.commons.beanutils.PropertyUtils;
+import org.apache.commons.beanutils2.PropertyUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.junit.After;

wcomponents-core/src/test/java/com/github/bordertech/wcomponents/WComponentsPerformance_Test.java

@@ -11,7 +11,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
-import org.apache.commons.beanutils.BeanUtils;
+import org.apache.commons.beanutils2.BeanUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.junit.Assert;

wcomponents-core/src/test/java/com/github/bordertech/wcomponents/WMultiFileWidget_Test.java

@@ -10,7 +10,7 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
-import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.fileupload.FileItem;
 import org.junit.Assert;
 import org.junit.Test;
@@ -124,8 +124,6 @@ public void testGetFile() {
 		Assert.assertEquals("File2 should be returned for index 1", TEST_FILE_ITEM_WRAP2, widget.
 				getFile("2"));
 	}
-
-
 
 	@Test
 	public void testGetMimeType() {
@@ -323,18 +321,18 @@ public void testSetFileTypesAsNullOrEmptyList() {
 	@Test
 	public void testMaxFileSizeAccessors() {
 		assertAccessorsCorrect(new WMultiFileWidget(), WMultiFileWidget::getMaxFileSize, WMultiFileWidget::setMaxFileSize,
-			10240000L, 1L, 2L);
+				10240000L, 1L, 2L);
 	}
 
 	@Test
 	public void testDuplicateComponentModels() {
 		WMultiFileWidget multiFileWidget = new WMultiFileWidget();
-		assertNoDuplicateComponentModels(multiFileWidget,"maxFileSize", 2012312312);
+		assertNoDuplicateComponentModels(multiFileWidget, "maxFileSize", 2012312312);
 		assertNoDuplicateComponentModels(multiFileWidget, "maxFiles", 123);
 		assertNoDuplicateComponentModels(multiFileWidget, "newUpload", true);
 		assertNoDuplicateComponentModels(multiFileWidget, "useThumbnails", true);
 		assertNoDuplicateComponentModels(multiFileWidget, "thumbnailPosition", WLink.ImagePosition.SOUTH);
-		assertNoDuplicateComponentModels(multiFileWidget, "thumbnailSize", new Dimension(22,33));
+		assertNoDuplicateComponentModels(multiFileWidget, "thumbnailSize", new Dimension(22, 33));
 		// TODO: See issue #1574 https://github.com/BorderTech/wcomponents/issues/1574
 //		assertNoDuplicateComponentModels(multiFileWidget, "fileUploadRequestId", "testId"); // No such method exception as it's a private method
 	}

wcomponents-core/src/test/java/com/github/bordertech/wcomponents/render/webxml/WLabelRenderer_Test.java

@@ -94,12 +94,12 @@ public void testDoPaintAllOptions() throws IOException, SAXException, XpathExcep
 	@Test
 	public void testSanitizedText() throws IOException, SAXException, XpathException {
 		MyInput comp = new MyInput();
-		WLabel label = new WLabel("<form>content</form><br />", comp);
+		WLabel label = new WLabel("<form>content</form><br/>", comp);
 		label.setEncodeText(false);
 		label.setSanitizeOnOutput(true);
 		assertSchemaMatch(label);
 		String xml = toXHtml(label);
-		Assert.assertTrue("Label text should contain sanitized xml", xml.contains("content<br />"));
+		Assert.assertTrue("Label text should contain sanitized xml", xml.contains("content<br/>"));
 	}
 
 	@Test

wcomponents-core/src/test/java/com/github/bordertech/wcomponents/servlet/WServletPerformance_Test.java

@@ -29,7 +29,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
-import org.apache.commons.beanutils.BeanUtils;
+import org.apache.commons.beanutils2.BeanUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.junit.Assert;