Hey there
That latest CVE seems not to be a big problem for our current products as they are pretty up to date. But we also have an old one, Vaadin 7 without ext. maintenance…
So my workmate is checking many lines of code right now :)
As it says “the Action class is a general-purpose class that may be used by multiple components” I wonder what is the best way to find the relevant lines as fast as possible.
Is it sufficient to check just for any .setCaption()? We are pretty sure that no Userinput is used anywhere for captions but of course would like to be sure about that ;)
I believe the Spreadsheet is the only official component that shows Action’s caption in the component itself (in Spreadsheet it will be the ContextMenu caption). E.g. if you just use key shortcuts in Vaadin 7, the caption is not used. But we cannot rule out the possibility that there are add-ons that show it or our customers have custom code that use it. That is why the fix has been done in Action, so that there is maximum coverage of the fix.
