Hi everyone,
in order to get rid of the JDOM 1 dependency (see XCOMMONS-2174) which has known security vulnerabilities, I propose that we break the API of HTMLUtils by making the inner class that currently inherits from a JDOM class private. This inner class isn’t used outside HTMLUtils, even on GitHub I couldn’t find any use outside HTMLUtils.
We cannot keep this class unmodified as its parent class is final in JDOM 2. The parent class has also been modified significantly and there is now another class that can be extended to achieve the same customizations. As this means we need a significant breakage, anyway, I think just removing the class from the public API by making it private is the best solution also to avoid future issues.
While we could perform this change independent of the full removal of JDOM 1, I think it makes most sense to do this together/after the removal of ROME 1 which depends on JDOM 1. As the related vote seems to indicate that the removal will only be in 17.0.0, it probably makes sense to do the same for this one.
Here is the pull request that implements the suggested changes: XCOMMONS-2174: Get rid of JDOM 1 dependency by michitux · Pull Request #1131 · xwiki/xwiki-commons · GitHub
As there is no rush, I’m opening this vote for 4 days, so until October 22nd included. Here is my +1.
Thank you!