OWASP · jgadsden · Feb 5, 2026 · Mar 1, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -12,8 +12,8 @@ updates:
         patterns:
           - "*"
         update-types:
-          - "minor"
           - "patch"
+          - "minor"
       security-update:
         applies-to: security-updates
         patterns:

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -20,10 +20,10 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout markdown
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@v6.0.2
 
       - name: Link Checker
-        uses: lycheeverse/lychee-action@v2.7.0
+        uses: lycheeverse/lychee-action@v2.8.0
         with:
           args: >-
             --no-progress
@@ -42,7 +42,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout markdown
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@v6.0.2
 
       - name: Lint markdown
         uses: DavidAnson/markdownlint-cli2-action@v22.0.0
@@ -58,22 +58,22 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout markdown
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@v6.0.2
 
       - name: Spell check EN language
-        uses: rojopolis/spellcheck-github-actions@0.56.0
+        uses: rojopolis/spellcheck-github-actions@0.58.0
         with:
           config_path: .spellcheck-en.yaml
 
       - name: Spell check ES language
-        uses: rojopolis/spellcheck-github-actions@0.56.0
+        uses: rojopolis/spellcheck-github-actions@0.58.0
         with:
           config_path: .spellcheck-es.yaml
 
       # rojopolis/spellcheck-github-actions does not support PT-BR,
       # only PT, and PT-BR is too different to pass a PT spellcheck
       - name: Set up Python for PT-BR
-        uses: actions/setup-python@v6.1.0
+        uses: actions/setup-python@v6.2.0
         with:
           python-version: '3.10'
 
@@ -93,10 +93,10 @@ jobs:
     needs: [md_linter, spell_checker]
     steps:
       - name: Checkout markdown
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@v6.0.2
 
       - name: Install python
-        uses: actions/setup-python@v6.1.0
+        uses: actions/setup-python@v6.2.0
         with:
           python-version: 3.x
 
@@ -127,10 +127,10 @@ jobs:
     needs: [md_linter, spell_checker]
     steps:
       - name: Checkout markdown
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@v6.0.2
 
       - name: Install python
-        uses: actions/setup-python@v6.1.0
+        uses: actions/setup-python@v6.2.0
         with:
           python-version: 3.x
 

diff --git a/.github/workflows/housekeeping.yaml b/.github/workflows/housekeeping.yaml
@@ -25,7 +25,7 @@ jobs:
           keep_minimum_runs: 10
 
       - name: Delete unused workflows
-        uses: otto-de/purge-deprecated-workflow-runs@v4.0.2
+        uses: otto-de/purge-deprecated-workflow-runs@v4.0.3
         with:
           token: ${{ github.token }}
 
@@ -34,10 +34,10 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout markdown
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@v6.0.2
 
       - name: Link Checker
-        uses: lycheeverse/lychee-action@v2.7.0
+        uses: lycheeverse/lychee-action@v2.8.0
         with:
           # skip the jekyll files under '_includes' directory, check all other directories
           args: >-
@@ -61,7 +61,7 @@ jobs:
 
     steps:
       - name: Tidy stale PRs and issues
-        uses: actions/stale@v10.1.1
+        uses: actions/stale@v10.2.0
         with:
           days-before-issue-stale: 183
           days-before-issue-close: -1

diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -13,10 +13,10 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout markdown
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@v6.0.2
 
       - name: Link Checker
-        uses: lycheeverse/lychee-action@v2.7.0
+        uses: lycheeverse/lychee-action@v2.8.0
         with:
           args: >-
             --exclude 'github\.com/OWASP/DevGuide/blob/main/docs'
@@ -36,7 +36,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout markdown
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@v6.0.2
 
       - name: Lint markdown
         uses: DavidAnson/markdownlint-cli2-action@v22.0.0
@@ -52,10 +52,10 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout markdown
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@v6.0.2
 
       - name: Spell check EN language
-        uses: rojopolis/spellcheck-github-actions@0.56.0
+        uses: rojopolis/spellcheck-github-actions@0.58.0
         with:
           config_path: .spellcheck-en.yaml
 
@@ -64,10 +64,10 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout markdown
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@v6.0.2
 
       - name: Spell check ES language
-        uses: rojopolis/spellcheck-github-actions@0.56.0
+        uses: rojopolis/spellcheck-github-actions@0.58.0
         with:
           config_path: .spellcheck-es.yaml
 
@@ -76,12 +76,12 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout markdown
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@v6.0.2
 
       # rojopolis/spellcheck-github-actions does not support PT-BR,
       # only PT, and PT-BR is too different to pass a PT spellcheck
       - name: Set up Python
-        uses: actions/setup-python@v6.1.0
+        uses: actions/setup-python@v6.2.0
         with:
           python-version: '3.10'
 
@@ -101,10 +101,10 @@ jobs:
     needs: [md_linter, spell_checker_en, spell_checker_es, spell_checker_pt-br]
     steps:
       - name: Checkout markdown
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@v6.0.2
 
       - name: Install python
-        uses: actions/setup-python@v6.1.0
+        uses: actions/setup-python@v6.2.0
         with:
           python-version: 3.x
 
@@ -132,10 +132,10 @@ jobs:
     needs: [build_check]
     steps:
       - name: Checkout markdown
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@v6.0.2
 
       - name: Install python
-        uses: actions/setup-python@v6.1.0
+        uses: actions/setup-python@v6.2.0
         with:
           python-version: 3.x
 

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -15,10 +15,10 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout markdown
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@v6.0.2
 
       - name: Install python
-        uses: actions/setup-python@v6.1.0
+        uses: actions/setup-python@v6.2.0
         with:
           python-version: 3.x
 
@@ -46,7 +46,7 @@ jobs:
     needs: [export_pdf]
     steps:
       - name: Check out
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@v6.0.2
 
       - name: Fetch prepared SBOM artifacts
         uses: actions/download-artifact@v7.0.0

diff --git a/.wordlist-en.txt b/.wordlist-en.txt
@@ -162,6 +162,7 @@ LINNDUN
 LLM
 LSMs
 Laravel
+LevelBlue
 Lezza
 LifeCycle
 Lifecycle

diff --git a/.wordlist-es.txt b/.wordlist-es.txt
@@ -263,6 +263,7 @@ leaks
 learning
 left
 Left
+LevelBlue
 LFD
 library
 LINDDUN

diff --git a/docs/en/04-design/01-threat-modeling/01-threat-modeling-project.md b/docs/en/04-design/01-threat-modeling/01-threat-modeling-project.md
@@ -1,28 +1,29 @@
-The [Threat Model Project][tmproject] is an over-arching project provided by OWASP
+The OWASP [Threat Modeling Project][tmproject] is an over-arching project
 that seeks to inform and guide on the very large domain that is [Threat Modeling][tmptm].
 
 #### What is the Threat Model project?
 
 The Threat Model project is not intended to be a primary source on the threat modeling domain;
 there are already many excellent sources that describe and explain threat modeling that this project does not need to repeat.
 
-Instead the Threat Model project seeks to provide information on [threat modeling techniques][tmpapp]
+Instead the Threat Model project seeks to provide direction on [threat modeling techniques][tmpapp]
 for applications and systems of all types, with a focus on current and emerging techniques.
+To provide this the project intends to collate threat modeling techniques, methodologies, tools and examples.
 
-To do this project intends to gather techniques, methodologies, tools and examples.
-There is also the intention to foster a threat modeling community and support it through initiatives and forums.
+There is also the aim to foster a threat modeling community and support it through initiatives and forums.
 
-Note that much of this is what the project intends to provide in the future.
-As of January 2026 the project is going through a change process that will better provide this information and guidance.
+Note that much of this are intentions for the future;
+as of January 2026 the project is going through a change process that will better provide this information and guidance.
+At present it is at OWASP Incubator status with promotion to Laboratory status expected later in 2026.
 
 #### Why refer to this project?
 
 The [Threat Modeling][tmproject] project is an over-arching project for the other threat modeling projects and resources.
 
 It can be used as a landing page for all things threat modeling;
 the starting point for finding [resources and tools][tmpres] as well as the core concepts.
-For example there is an introduction to Shostack's [Four Question Framework][4QFW],
-that then references the primary source if the user needs to know more.
+For example there is an introduction to Shostack's [Four Question Framework][4QFW]
+that references the primary source if the user needs to know more.
 
 #### OWASP threat modeling projects
 

diff --git a/docs/en/05-implementation/03-secure-libraries/04-java-secure-libs.md b/docs/en/05-implementation/03-secure-libraries/04-java-secure-libs.md
@@ -0,0 +1,46 @@
+The OWASP [Java HTML Sanitizer][html-sanitizer-project] and OWASP [Java Encoder][java-encoder-project] projects
+are security libraries for Java web applications that provide output encoding and HTML input sanitization.
+
+The OWASP [JSON Sanitizer][json-sanitizer] Java library is used to ensure JSON input / output is standards compliant.
+
+#### What are they?
+
+Java Encoder
+contextual output encoding as part of a defense in depth approach to preventing XSS
+
+#### Why use the libraries?
+
+The use of these libraries is widely used to protect against
+
+and remain widely used to this day.
+
+These are both established projects with a regular release history from 2026 back to 2013.
+
+The OWASP [JSON Sanitizer][json-sanitizer] Java library is less well supported
+but should be considered for JSON specific output sanitization; it is a direct dependency for literally 1000s of projects.
+
+#### How to use the libraries
+
+[via Maven][java-encoder]
+
+#### References
+
+* OWASP [Cross Site Scripting prevention][csxss] Cheatsheet
+* OWASP [Java Encoder][java-encoder-github]
+* OWASP [Java HTML Sanitizer][html-sanitizer]
+* OWASP [JSON Sanitizer][json-sanitizer]
+
+----
+
+The OWASP Developer Guide is a community effort; if there is something that needs changing
+then [submit an issue][issue050304] or [edit on GitHub][edit050304].
+
+[csxss]: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet
+[edit050304]: https://github.com/OWASP/DevGuide/blob/main/docs/en/05-implementation/03-secure-libraries/04-java-secure-libs.md
+[html-sanitizer]: https://github.com/OWASP/java-html-sanitizer/releases/latest/
+[html-sanitizer-project]: https://owasp.org/www-project-java-html-sanitizer/
+[issue050304]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2005-implementation/03-secure-libraries/04-java-secure-libs
+[java-encoder]: http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.owasp.encoder%22
+[java-encoder-github]: https://github.com/OWASP/owasp-java-encoder/releases/latest/
+[java-encoder-project]: https://owasp.org/www-project-java-encoder/
+[json-sanitizer]: https://github.com/OWASP/json-sanitizer/releases/latest/
diff --git a/docs/en/06-verification/04-vulnerability-management/01-defectdojo.md b/docs/en/06-verification/04-vulnerability-management/01-defectdojo.md
@@ -65,7 +65,7 @@ then [submit an issue][issue080401] or [edit on GitHub][edit080401].
 [defectdojo]: https://defectdojo.com/
 [defectdojo-docs]: https://docs.defectdojo.com/
 [defectdojo-docker]: https://github.com/DefectDojo/django-DefectDojo/blob/dev/readme-docs/DOCKER.md
-[defectdojo-install]: https://docs.defectdojo.com/en/about_defectdojo/new_user_checklist/
+[defectdojo-install]: https://docs.defectdojo.com/get_started/about/
 [defectdojo-project]: https://owasp.org/www-project-defectdojo/
 [defectdojo-tools]: https://defectdojo.com/integrations
 [edit080401]: https://github.com/OWASP/DevGuide/blob/main/docs/en/06-verification/04-vulnerability-management/01-defectdojo.md

diff --git a/docs/en/07-training-education/02-secure-coding-dojo.md b/docs/en/07-training-education/02-secure-coding-dojo.md
@@ -46,7 +46,7 @@ to practice penetration testing.
 The OWASP Developer Guide is a community effort; if there is something that needs changing
 then [submit an issue][issue0902] or [edit on GitHub][edit0902].
 
-[codedojo]: https://securecodingdojo.owasp.org/
+[codedojo]: https://securecodingdojo.owasp.org/public/index.html
 [codedojo-insecure]: https://github.com/OWASP/SecureCodingDojo/wiki/Running-Insecure.Inc
 [codedojo-install]: https://github.com/OWASP/SecureCodingDojo/wiki/Deploying-with-Docker
 [codedojo-project]: https://owasp.org/www-project-secure-coding-dojo/

diff --git a/docs/en/09-operations/03-modsecurity.md b/docs/en/09-operations/03-modsecurity.md
@@ -6,7 +6,7 @@ In 2024 it became an OWASP Production project, supported by the existing leaders
 #### What is ModSecurity?
 
 In January 2024 the [ModSecurity][modsec] Web Application Firewall project was [adopted by OWASP][modsec-press],
-previously [TrustWave][trustwave] had been the custodian of this project.
+previously TrustWave (now [LevelBlue][levelblue]) had been the custodian of this project.
 ModSecurity itself has a long history as an open source project, the first release was in November 2002,
 and is widely used as a web application firewall for [cloud applications][cscloud] and on-premises web servers.
 
@@ -39,7 +39,7 @@ then [submit an issue][issue1103] or [edit on GitHub][edit1103].
 [cscloud]: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Cloud_Architecture_Cheat_Sheet
 [edit1103]: https://github.com/OWASP/DevGuide/blob/main/docs/en/09-operations/03-modsecurity.md
 [issue1103]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2009-operations/03-modsecurity
+[levelblue]: https://www.levelblue.com/
 [modsec]: https://owasp.org/www-project-modsecurity/
 [modsec-docs]: https://modsecurity.org/
 [modsec-press]: https://owasp.org/blog/2024/01/09/ModSecurity.html
-[trustwave]: https://www.trustwave.com/
diff --git a/docs/es/06-verification/04-vulnerability-management/01-defectdojo.md b/docs/es/06-verification/04-vulnerability-management/01-defectdojo.md
@@ -70,7 +70,7 @@ La Guía para Desarrolladores de OWASP es un esfuerzo comunitario; si hay algo q
 [defectdojo]: https://defectdojo.com/
 [defectdojo-docs]: https://docs.defectdojo.com/
 [defectdojo-docker]: https://github.com/DefectDojo/django-DefectDojo/blob/dev/readme-docs/DOCKER.md
-[defectdojo-install]: https://docs.defectdojo.com/en/about_defectdojo/new_user_checklist/
+[defectdojo-install]: https://docs.defectdojo.com/get_started/about/
 [defectdojo-project]: https://owasp.org/www-project-defectdojo/
 [defectdojo-tools]: https://defectdojo.com/integrations
 [edit080401]: https://github.com/OWASP/DevGuide/blob/main/docs/es/06-verification/04-vulnerability-management/01-defectdojo.md

diff --git a/mkdocs-pdf-en.yaml b/mkdocs-pdf-en.yaml
@@ -91,6 +91,7 @@ nav:
       - ESAPI: en/05-implementation/03-secure-libraries/01-esapi.md
       - CSRFGuard: en/05-implementation/03-secure-libraries/02-csrf-guard.md
       - OSHP: en/05-implementation/03-secure-libraries/03-secure-headers.md
+      - Java: en/05-implementation/03-secure-libraries/04-java-secure-libs.md
     - MASWE: en/05-implementation/04-maswe.md
   - Verification:
     - Overview: en/06-verification/index.md

diff --git a/mkdocs-pdf-es.yaml b/mkdocs-pdf-es.yaml
@@ -96,6 +96,7 @@ nav:
       - ESAPI: es/05-implementation/03-secure-libraries/01-esapi.md
       - CSRFGuard: es/05-implementation/03-secure-libraries/02-csrf-guard.md
       - OSHP: es/05-implementation/03-secure-libraries/03-secure-headers.md
+      - Java: en/05-implementation/03-secure-libraries/04-java-secure-libs.md
     - MASWE: es/05-implementation/04-maswe.md
   - Verificación:
     - Descripción: es/06-verification/index.md

diff --git a/mkdocs-pdf-fa.yaml b/mkdocs-pdf-fa.yaml
@@ -91,6 +91,7 @@ nav:
       - ESAPI: en/05-implementation/03-secure-libraries/01-esapi.md
       - CSRFGuard: en/05-implementation/03-secure-libraries/02-csrf-guard.md
       - OSHP: en/05-implementation/03-secure-libraries/03-secure-headers.md
+      - Java: en/05-implementation/03-secure-libraries/04-java-secure-libs.md
     - MASWE: en/05-implementation/04-maswe.md
   - Verification:
     - Overview: en/06-verification/index.md
-Original file line number
+Diff line change
@@ Expand Up / @@ -162,6 +162,7 @@ LINNDUN @@
     LLM
     LSMs
     Laravel
+    LevelBlue
     Lezza
     LifeCycle
     Lifecycle
@@ Expand Down @@