While looking at the extensive dependency list of the XSS module (which are all caused by the embedded owasp.org artifacts), I found out that the versions we use are outdated.
So I think we should update those to the latest.
Furthermore, the embedded antisamy library does not look to be maintained anymore
instead the html sanitizer looks much fresher and claims to be faster
I think we should switch. Quick analysis:
Lightweight (also from a dependency POV)
Incompatible (and runtime-object based) configuration
Not completely feature equivalent (but close enough and better in some aspects)
Some investigation is needed on how
a) filter rules can be configured (e.g. sling configurations, file based, code bundle, ... ?)
b) existing configurations can be migrated