break dependency on outdated log4j

[MFTabriz]

Currently, we ship a version of vnu.jar which uses log4j v1.2.17 and commons-fileupload v1.3.1 both of which have severe (probably irrelevant) vulnerabilities. This is preventing automatic deployment of html5validator in secure environments. As the upstream maintainers do not want to update their log4j dependency, we have to either patch it locally or drop the dependency on vnu.jar.