Name of the Vulnerable Software and Affected Versions ESAPI versions 1.3 through 2.5.x

Description The Validator.isValidSafeHTML method can result in false negatives, reporting some input as safe when it is not, potentially leading to XSS vulnerabilities. This issue affects all versions of ESAPI that include this method, dating back to at least ESAPI 1.3, and will continue to exist until the method is removed.

Recommendations For ESAPI versions 1.3 through 2.5.x, stop using the Validator.isValidSafeHTML method. Instead, use Validator.getValidSafeHTML with the default antisamy-esapi.xml AntiSamy policy file, which is believed to be safe. For ESAPI versions 2.6.0.0 and later, no action is required as the deprecated methods have been removed.