diff --git a/dist/lib/ext/commons-io.jar b/dist/lib/ext/commons-io.jar
index eb316f4020..ad00ddc407 100644
Binary files a/dist/lib/ext/commons-io.jar and b/dist/lib/ext/commons-io.jar differ
diff --git a/zhtml/build.gradle b/zhtml/build.gradle
index 47d88e35ff..fff8983c5e 100644
--- a/zhtml/build.gradle
+++ b/zhtml/build.gradle
@@ -6,7 +6,7 @@ plugins {
dependencies {
api project(':zul')
- api 'commons-io:commons-io:2.13.0'
+ api 'commons-io:commons-io:2.17.0'
api 'org.zkoss:zsoup:1.8.2.5'
}
diff --git a/zk-parent/pom.xml b/zk-parent/pom.xml
index 65345393e2..96b4d09f44 100644
--- a/zk-parent/pom.xml
+++ b/zk-parent/pom.xml
@@ -123,7 +123,7 @@
commons-io
commons-io
- 2.13.0
+ 2.17.0
commons-lang
diff --git a/zk/build.gradle b/zk/build.gradle
index f5cc6e5b1e..d2cc529238 100644
--- a/zk/build.gradle
+++ b/zk/build.gradle
@@ -15,7 +15,7 @@ dependencies {
api project(':zweb')
api project(':zkwebfragment')
api 'org.apache.commons:commons-fileupload2-javax:2.0.0-M2'
- api 'commons-io:commons-io:2.13.0'
+ api 'commons-io:commons-io:2.17.0'
api('com.google.guava:guava:32.1.2-jre') {
exclude group: '*', module: '*'
}
diff --git a/zkdoc/release-note b/zkdoc/release-note
index 02783669a8..9fb159e5c8 100644
--- a/zkdoc/release-note
+++ b/zkdoc/release-note
@@ -34,6 +34,7 @@ ZK 10.1.0
ZK-5546: Websocket endpoint doesn't trigger timeout-uri redirect after desktop timeout
ZK-5807: A side-effect of ZK-5582 for the testSelectRange of B70_ZK_2534_groupTest
ZK-5802: _listenFlex, _unlistenFlex declared on static member _ are used directly, cannot be overriden
+ ZK-5819: [CodeQL] Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReade
* Upgrade Notes
+ Remove Htmls.encodeJavaScript(), Strings.encodeJavaScript(), Strings.escape() with Strings.ESCAPE_JAVASCRIPT, and replace them with OWASP Java Encoder APIs instead.
diff --git a/zksandbox/build.gradle b/zksandbox/build.gradle
index e32ba4a8be..4a49720657 100644
--- a/zksandbox/build.gradle
+++ b/zksandbox/build.gradle
@@ -33,7 +33,7 @@ repositories {
}
dependencies {
- implementation 'commons-io:commons-io:2.13.0'
+ implementation 'commons-io:commons-io:2.17.0'
implementation 'commons-logging:commons-logging:1.1.1'
implementation 'org.apache.commons:commons-fileupload2-javax:2.0.0-M2'
implementation 'org.zkoss.theme:breeze:10.0.1.1-Eval'
diff --git a/zktest/build.gradle b/zktest/build.gradle
index eda1629ecc..cf34962255 100644
--- a/zktest/build.gradle
+++ b/zktest/build.gradle
@@ -60,7 +60,7 @@ dependencies {
implementation "org.zkoss.theme:atlantic:10.0.1.1-Eval"
implementation 'commons-logging:commons-logging:1.1.1'
implementation 'org.apache.commons:commons-fileupload2-javax:2.0.0-M2'
- implementation 'commons-io:commons-io:2.13.0'
+ implementation 'commons-io:commons-io:2.17.0'
implementation "org.zkoss.zk:zk:${version}"
implementation "org.zkoss.zk:zkplus:${version}"
implementation "org.zkoss.zk:zkbind:${version}"