We could add the dep for a 1.1 or 2.0 release but removing the dep would be more painful for users that end up depending on it. The question is: how much benefit do we really get for TEXT from a dep on RNG.
Gary On Dec 30, 2016 6:40 AM, "Rob Tompkins" <chtom...@gmail.com> wrote: > Hello all, > > Personally, I would like to resolve the TEXT-36 and TEXT-42 Jira tickets > before proceeding with the release, but I wanted to check to see if anyone > else has any opinions on what work needs to be completed before the release. > > Regarding TEXT-36: 'Dependency on “Commons RNG” ‘, I’m relatively > indifferent here, I just want some other’s to weigh in as to their thoughts > before deciding to leave in the dependency and making more progress on the > best pattern after the 1.0 release. > > Regarding TEXT-42: '[XSS] Possible attacks through > StringEscapeUtils.escapeEcmaScript?’, > I think we should minimally include something in the javadoc directly > stating that with the string '\"' and the output will be '\\\”’ and to be > careful using the method from a security perspective. I think maximally we > should implement a distinct method that accommodates ECMA script escaping > with security being the primary focus of the method, but it feels like this > could wait to be included down the road. > > For the other tickets, they did not seem to me to be quite as pressing as > these, but I’m open to ensuring whatever gets resolved prior to releasing. > I mainly just want a second set of eyes on the list of Jira’s before > proceeding. > > Cheers and happy new year, > -Rob > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
