Announcement

**stonebranch2** · 27 Sep 2023, 10:58

The jtidy project moved from https://sourceforge.net/projects/jtidy/ to https://github.com/jtidy/jtidy

JTidy was initially written by Andy Quick. The project has been maintained at sourceforge.net by Fabrizio Giustina from 2004 to 2010. Since the JTidy project on SourceForge.net seemed to fall into disrepair years ago and had not been updated for years. A few had forked it on Github. William L. Thomson Jr. came along and created a fork of others forks with a tag for his packaging needs as a dependency for JMeter. Then another came along, Dell Green who noticed some issues, tests failing, and undertook fixing both.

Since the code belonged to neither, William decided to create a JTidy organization and revive the project via community support. Which you are welcome to join in. Eventually this should become the official new home for JTidy.

Thanks to all past authors and developers. Those of which who could be found on Github have been invited to join this project. Along with those that this repository was forked from.

The release number went from r938 to 1.0.1, and so on.

While I could not find a statement indicating 100% compatibility, I could also not find an indication that it was not compatible.

Do you know if we can use the following as a drop-in replacement?

Code:

<dependency>
    <groupId>com.github.jtidy</groupId>
    <artifactId>jtidy</artifactId>
    <version>1.0.5</version>
</dependency>

**Isomorphic** · 27 Sep 2023, 16:52

We have not yet checked if this new version is 100% compatible, but we'll take a look.

Just to give some scope to this vulnerability, an attacker would have to have the ability to log into your system and request a PDF export, and then, at most, this would make the server slightly slower (because a correctly implemented server would just kill the hung thread after a bit).

So, in your case (SaaS) you'd have a specific user login that tried to slow down the server and in the bizarre scenario that one of your own customers is trying to bring your service down (unsuccessfully) you could cut that customer or account off.

We'll check on the mitigation, but we just wanted to make it clear: security-wise, this is a non-issue for any system that requires logins.

**Isomorphic** · 28 Sep 2023, 11:46

It looks like this does work as a drop-in replacement.

You can use it with Maven like so:

Code:

<dependency>
    <groupId>com.isomorphic.smartclient.enterprise</groupId>
    <artifactId>isomorphic-content-export</artifactId>
    <version>${smartclient.version}</version>
    <exclusions>
        <exclusion>
            <groupId>net.sf.jtidy</groupId>
            <artifactId>jtidy</artifactId>
        </exclusion>
    </exclusions>
</dependency>
<dependency>
    <groupId>com.github.jtidy</groupId>
    <artifactId>jtidy</artifactId>
    <version>1.0.5</version>
</dependency>

**Isomorphic** · 29 Sep 2023, 14:48

Also note that we've updated the framework dependency, so you won't need the explicit exclusion & replacement as in the example above, effective with the 13.-d20230930 build.

**stonebranch2** · 13 Oct 2023, 11:30

Thank you,
Are we able to use jtidy 1.0.5 as a drop in replacement for 12.1p?
Regards

**Isomorphic** · 13 Oct 2023, 13:33

Yes, it seems so.

Announcement

CVE-2023-34623

Comment

Comment

Comment

Comment

Comment

Comment