This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch WW-5626-approach-c in repository https://gitbox.apache.org/repos/asf/struts.git
commit 32fa1fdeb730882102ab28ce159cadd53ed05726 Author: Lukasz Lenart <[email protected]> AuthorDate: Mon May 4 16:06:05 2026 +0200 WW-5626 deprecate XStreamHandler in favor of JacksonXmlHandler --- .../java/org/apache/struts2/rest/handler/XStreamHandler.java | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/plugins/rest/src/main/java/org/apache/struts2/rest/handler/XStreamHandler.java b/plugins/rest/src/main/java/org/apache/struts2/rest/handler/XStreamHandler.java index 40a042a9c..f0cf191ca 100644 --- a/plugins/rest/src/main/java/org/apache/struts2/rest/handler/XStreamHandler.java +++ b/plugins/rest/src/main/java/org/apache/struts2/rest/handler/XStreamHandler.java @@ -42,8 +42,17 @@ import java.util.Map; import java.util.Set; /** - * Handles XML content + * Handles XML content via the XStream library. + * + * @deprecated since 7.2.0, scheduled for removal in a future major version. XStream has a long + * history of deserialization vulnerabilities and requires per-class allowlist + * maintenance. The default {@code xml} binding in {@code struts-plugin.xml} uses + * {@link JacksonXmlHandler}, which respects {@code @StrutsParameter} authorization + * via the {@link AuthorizationAwareContentTypeHandler} mechanism. Users who have + * explicitly overridden the {@code xml} handler to {@code XStreamHandler} should + * migrate to {@link JacksonXmlHandler}. */ +@Deprecated(since = "7.2.0", forRemoval = true) public class XStreamHandler implements ContentTypeHandler { private static final Logger LOG = LogManager.getLogger(XStreamHandler.class);
