Sync from SUSE:SLFO:Main python-bleach revision 93205a0fb0b42cec4f1c26621cb73896

2024-05-03 20:14:05 +02:00 · 2024-05-03 20:14:05 +02:00 · 56376caa6b
commit 56376caa6b
6 changed files with 574 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/bleach-6.0.0.tar.gz
+++ b/bleach-6.0.0.tar.gz
--- a/de-vendor.patch
+++ b/de-vendor.patch
@ -0,0 +1,86 @@
+Index: bleach-6.0.0/bleach/html5lib_shim.py
+===================================================================
+--- bleach-6.0.0.orig/bleach/html5lib_shim.py
+++ bleach-6.0.0/bleach/html5lib_shim.py
+@@ -14,27 +14,27 @@ warnings.filterwarnings(
+     "ignore",
+     message="html5lib's sanitizer is deprecated",
+     category=DeprecationWarning,
+-    module="bleach._vendor.html5lib",
+    module="html5lib",
+ )
+ 
+-from bleach._vendor.html5lib import (  # noqa: E402 module level import not at top of file
+from html5lib import (  # noqa: E402 module level import not at top of file
+     HTMLParser,
+     getTreeWalker,
+ )
+-from bleach._vendor.html5lib import (
+from html5lib import (
+     constants,
+ )  # noqa: E402 module level import not at top of file
+-from bleach._vendor.html5lib.constants import (  # noqa: E402 module level import not at top of file
+from html5lib.constants import (  # noqa: E402 module level import not at top of file
+     namespaces,
+     prefixes,
+ )
+-from bleach._vendor.html5lib.constants import (
+from html5lib.constants import (
+     _ReparseException as ReparseException,
+ )  # noqa: E402 module level import not at top of file
+-from bleach._vendor.html5lib.filters.base import (
+from html5lib.filters.base import (
+     Filter,
+ )  # noqa: E402 module level import not at top of file
+-from bleach._vendor.html5lib.filters.sanitizer import (
+from html5lib.filters.sanitizer import (
+     allowed_protocols,
+     allowed_css_properties,
+     allowed_svg_properties,
+@@ -42,21 +42,21 @@ from bleach._vendor.html5lib.filters.san
+     svg_attr_val_allows_ref,
+     svg_allow_local_href,
+ )  # noqa: E402 module level import not at top of file
+-from bleach._vendor.html5lib.filters.sanitizer import (
+from html5lib.filters.sanitizer import (
+     Filter as SanitizerFilter,
+ )  # noqa: E402 module level import not at top of file
+-from bleach._vendor.html5lib._inputstream import (
+from html5lib._inputstream import (
+     HTMLInputStream,
+ )  # noqa: E402 module level import not at top of file
+-from bleach._vendor.html5lib.serializer import (
+from html5lib.serializer import (
+     escape,
+     HTMLSerializer,
+ )  # noqa: E402 module level import not at top of file
+-from bleach._vendor.html5lib._tokenizer import (
+from html5lib._tokenizer import (
+     attributeMap,
+     HTMLTokenizer,
+ )  # noqa: E402 module level import not at top of file
+-from bleach._vendor.html5lib._trie import (
+from html5lib._trie import (
+     Trie,
+ )  # noqa: E402 module level import not at top of file
+ 
+Index: bleach-6.0.0/tests/test_clean.py
+===================================================================
+--- bleach-6.0.0.orig/tests/test_clean.py
+++ bleach-6.0.0/tests/test_clean.py
+@@ -5,7 +5,7 @@ import pytest
+ from bleach import clean
+ from bleach.html5lib_shim import Filter
+ from bleach.sanitizer import ALLOWED_PROTOCOLS, Cleaner, NoCssSanitizerWarning
+-from bleach._vendor.html5lib.constants import rcdataElements
+from html5lib.constants import rcdataElements
+ 
+ 
+ @pytest.mark.parametrize(
+Index: bleach-6.0.0/bleach/parse_shim.py
+===================================================================
+--- bleach-6.0.0.orig/bleach/parse_shim.py
+++ bleach-6.0.0/bleach/parse_shim.py
+@@ -1 +1 @@
+-from bleach._vendor.parse import urlparse  # noqa
+from urllib.parse import urlparse  # noqa
--- a/python-bleach.changes
+++ b/python-bleach.changes
@ -0,0 +1,365 @@
+-------------------------------------------------------------------
+Thu Jun 29 11:31:20 UTC 2023 - Markéta Machová <mmachova@suse.com>
+
+- Add patch strip-spaces.patch (bsc#1212852)
+  * sent upstream: https://github.com/mozilla/bleach/pull/706
+
+-------------------------------------------------------------------
+Mon May  8 11:57:24 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Update to 6.0.0:
+  * bleach.clean, bleach.sanitizer.Cleaner,
+    bleach.html5lib_shim.BleachHTMLParser: the tags and protocols
+    arguments were changed from lists to sets.
+  * bleach.linkify, bleach.linkifier.Linker: the skip_tags and
+    recognized_tags arguments were changed from lists to sets.
+  * bleach.sanitizer.BleachSanitizerFilter: strip_allowed_elements is
+    now strip_allowed_tags. We now use “tags” everywhere rather than a
+    mishmash of “tags” in some places and “elements” in others.
+  # Bug fixes
+  * Add support for Python 3.11. (#675)
+  * Fix API weirness in BleachSanitizerFilter. (#649)
+  * We’re using “tags” instead of “elements” everywhere–no more weird
+    overloading of “elements” anymore.
+  * Also, it no longer calls the superclass constructor.
+  * Add warning when css_sanitizer isn’t set, but the style attribute
+    is allowed. (#676)
+  * Fix linkify handling of character entities. (#501)
+  * Rework dev dependencies to use requirements-dev.txt and
+    requirements-flake8.txt instead of extras.
+  * Fix project infrastructure to be tox-based so it’s easier to have
+    CI run the same things we’re running in development and with
+    flake8 in an isolated environment.
+  * Update action versions in CI.
+  * Switch to f-strings where possible. Make tests parametrized to be
+    easier to read/maintain.
+
+-------------------------------------------------------------------
+Fri Apr 21 12:22:44 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- add sle15_python_module_pythons (jsc#PED-68)
+
+-------------------------------------------------------------------
+Thu Apr 13 22:40:18 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- Make calling of %{sle15modernpython} optional.
+
+-------------------------------------------------------------------
+Fri Mar 24 11:38:58 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Remove not needed dependency python-packaging
+
+-------------------------------------------------------------------
+Thu Nov  3 09:00:37 UTC 2022 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Remove not needed python-six dependency
+- Remove python_module macro definition
+- More specific python_sitelib in files
+
+-------------------------------------------------------------------
+Thu Sep 29 06:58:58 UTC 2022 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Update to 5.0.1:
+  * Add missing comma to tinycss2 require. Thank you, @shadchin!
+  * Add url parse tests based on wpt url tests. (#688)
+  * Support scheme-less urls if "https" is in allow list. (#662)
+  * Handle escaping ``<`` in edge cases where it doesn't start a tag. (#544)
+  * Correctly urlencode email address parts. Thank you, @larseggert! (#659)
+  * ``clean`` and ``linkify`` now preserve the order of HTML attributes.
+  * Drop support for Python 3.6. Thank you, @hugovk! (#629)
+  * CSS sanitization in style tags is completely different now.
+  * Python 3.9 support
+  * Drop support for unsupported Python versions <3.6. (#520)
+  * add more tests for CVE-2021-23980 / GHSA-vv2x-vrpj-qqpq
+- Refresh de-vendor.patch, and convert to patch level 1
+
+-------------------------------------------------------------------
+Tue Apr 13 09:20:21 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- update to 3.3.0:
+  * Backwards incompatible change: clean escapes HTML comments
+    even when strip_comments=False
+  * Fix CVE-2021-23980: mutation XSS on bleach.clean with specific
+    combinations of allowed tags (boo#1184547)
+- includes changes from 3.2.3:
+  * fix clean and linkify raising ValueErrors for certain inputs
+- includes changes from 3.2.2:
+  * fix linkify raising an IndexError on certain inputs
+- includes changes from 3.2.1:
+  * change linkifier to add rel="nofollow" as documented
+- includes changes from 3.2.0:
+  * html5lib dependency increased to 1.1.0
+
+-------------------------------------------------------------------
+Mon Aug 31 09:15:22 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>
+
+- Skip tests that fail with html5lib 1.1 ref the upstream ticket
+
+-------------------------------------------------------------------
+Wed May  6 07:12:54 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>
+
+- Update to 3.1.5:
+  * replace missing ``setuptools`` dependency with ``packaging``. Thank you Benjamin Peterson.
+
+-------------------------------------------------------------------
+Wed Apr  1 11:18:24 UTC 2020 - Dirk Mueller <dmueller@suse.com>
+
+- update to 3.1.4 (bsc#1168280, CVE-2020-6817):
+  * ``bleach.clean`` behavior parsing style attributes could result in a
+    regular expression denial of service (ReDoS).
+    Calls to ``bleach.clean`` with an allowed tag with an allowed
+    ``style`` attribute were vulnerable to ReDoS. For example,
+    ``bleach.clean(..., attributes={'a': ['style']})``.
+  * Style attributes with dashes, or single or double quoted values are
+    cleaned instead of passed through.
+
+-------------------------------------------------------------------
+Mon Mar 23 10:09:15 UTC 2020 - Dirk Mueller <dmueller@suse.com>
+
+- update to 3.1.3 (bsc#1167379, CVE-2020-6816):
+  * Add relative link to code of conduct. (#442)
+  * Drop deprecated 'setup.py test' support. (#507)
+  * Fix typo: curren -> current in tests/test_clean.py (#504)
+  * Test on PyPy 7
+  * Drop test support for end of life Python 3.4
+  * ``bleach.clean`` behavior parsing embedded MathML and SVG content
+    with RCDATA tags did not match browser behavior and could result in
+    a mutation XSS.
+    Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or
+    ``svg`` tags and one or more of the RCDATA tags ``script``,
+    ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or
+    ``xmp`` in the allowed tags whitelist were vulnerable to a mutation
+    XSS.
+
+-------------------------------------------------------------------
+Fri Feb 28 16:13:43 UTC 2020 - Alexandros Toptsoglou <atoptsoglou@suse.com>
+
+- Update to V3.1.1: Security update for CVE-2020-6802  
+
+  * CVE-2020-6802: Fixed mutation XSS vulnerabilities (bsc#1165303). 
+
+-------------------------------------------------------------------
+Wed Jan  8 10:35:41 CET 2020 - Matej Cepl <mcepl@suse.com>
+
+- Switch off test_uri_value_allowed_protocols test to work around
+  gh#mozilla/bleach#503.
+
+-------------------------------------------------------------------
+Fri Jul 19 12:02:58 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com>
+
+- Restrict pytest to <5.0; upstream has an issue already reported
+
+-------------------------------------------------------------------
+Sun Mar  3 09:14:50 UTC 2019 - John Vandenberg <jayvdb@gmail.com>
+
+- Add de-vendor.patch to avoid new vendoring of html5lib in v3.1.0
+- Remove direct dependency on webencodings, a dependency of html5lib
+- Update to v3.1.0
+  * Add ``recognized_tags`` argument to the linkify ``Linker`` class. This
+    fixes issues when linkifying on its own and having some tags get escaped.
+    It defaults to a list of HTML5 tags
+  * Add ``six>=1.9`` to requirements
+  * Fix cases where attribute names could have invalid characters in them.
+  * Fix problems with ``LinkifyFilter`` not being able to match links
+    across ``&amp;``.
+  * Fix ``InputStreamWithMemory`` when the ``BleachHTMLParser`` is
+    parsing ``meta`` tags
+  * Fix doctests.
+- from v3.0.2
+  * Merge ``Characters`` tokens after sanitizing them. This fixes issues
+    in the ``LinkifyFilter`` where it was only linkifying parts of urls
+- from v3.0.1
+  * Support Python 3.7. It supported Python 3.7 just fine, but 3.7 was
+    added to the list of Python environments being test
+  * Fix ``list`` object has no attribute ``lower`` in ``clean``
+  * Fix ``abbr`` getting escaped in ``linkify``
+- from v3.0.0
+  * [breaking] A bunch of functions were moved from one module to another.
+    These were moved from ``bleach.sanitizer`` to ``bleach.html5lib_shim``:
+    + convert_entity
+    + convert_entities
+    + match_entity
+    + next_possible_entity
+    + BleachHTMLSerializer
+    + BleachHTMLTokenizer
+    + BleachHTMLParser
+    These functions and classes weren't documented and aren't part of the
+    public API, but people read code and might be using them so we're
+    considering it an incompatible API change.
+    If you're using them, you'll need to update your code.
+  * Bleach no longer depends on html5lib. html5lib==1.0.1 is now vendored into
+    Bleach. You can remove it from your requirements file if none of your other
+    requirements require html5lib.
+    This means Bleach will now work fine with other libraries that depend on
+    html5lib regardless of what version of html5lib they require.
+  * Fixed tags getting added when using clean or linkify. This was a
+    long-standing regression from the Bleach 2.0 rewrite
+  * Fixed ``<isindex>`` getting replaced with a string. Now it gets escaped or
+    stripped depending on whether it's in the allowed tags or not
+- from v2.1.4
+  * Dropped support for Python 3.3
+  * Handle ambiguous ampersands in correctly
+
+-------------------------------------------------------------------
+Wed Dec  5 01:56:44 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
+
+- Trim rhetorics and bias from descriptions.
+
+-------------------------------------------------------------------
+Tue Dec  4 12:46:11 UTC 2018 - Matej Cepl <mcepl@suse.com>
+
+- Remove superfluous devel dependency for noarch package
+
+-------------------------------------------------------------------
+Tue Mar 20 08:38:36 UTC 2018 - kbabioch@suse.com
+
+- Update to version 2.1.3:
+  * Attributes that have URI values weren't properly sanitized if the
+    values contained character entities. Using character entities, it
+    was possible to construct a URI value with a scheme that was not
+    allowed that would slide through unsanitized.
+    (CVE-2018-7753 bnc#1085969)
+
+-------------------------------------------------------------------
+Thu Dec  7 16:50:14 UTC 2017 - arun@gmx.de
+
+- specfile:
+  * update copyright year
+
+- update to version 2.1.2:
+  * Bug fixes
+    + Support html5lib-python 1.0.1. (#337)
+    + Add deprecation warning for supporting html5lib-python < 1.0.
+    + Switch to semver.
+
+-------------------------------------------------------------------
+Sat Nov 11 17:17:50 UTC 2017 - arun@gmx.de
+
+- specfile:
+  * update copyright year
+
+- update to version 2.1.1:
+  * Bug fixes
+    + Fix setup.py opening files when LANG=. (#324)
+
+- changes from version 2.1:
+  * Security fixes
+    + Convert control characters (backspace particularly) to “?”
+      preventing malicious copy-and-paste situations. (#298)
+      See https://github.com/mozilla/bleach/issues/298 for more details.
+      This affects all previous versions of Bleach. Check the comments
+      on that issue for ways to alleviate the issue if you can’t
+      upgrade to Bleach 2.1.
+  * Backwards incompatible changes
+    + Redid versioning. bleach.VERSION is no longer available. Use the
+      string version at bleach.__version__ and parse it with
+      pkg_resources.parse_version. (#307)
+    + clean, linkify: linkify and clean should only accept text types;
+      thank you, Janusz! (#292)
+    + clean, linkify: accept only unicode or utf-8-encoded str (#176)
+  * Bug fixes
+    + bleach.clean() no longer unescapes entities including ones that
+      are missing a ; at the end which can happen in urls and other
+      places. (#143)
+    + linkify: fix http links inside of mailto links; thank you,
+      sedrubal! (#300)
+    + clarify security policy in docs (#303)
+    + fix dependency specification for html5lib 1.0b8, 1.0b9, and
+      1.0b10; thank you, Zoltán! (#268)
+    + add Bleach vs. html5lib comparison to README; thank you, Stu
+      Cox! (#278)
+    + fix KeyError exceptions on tags without href attr; thank you,
+      Alex Defsen! (#273)
+    + add test website and scripts to test bleach.clean() output in
+      browser; thank you, Greg Guthe!
+
+-------------------------------------------------------------------
+Wed Apr 12 15:15:17 UTC 2017 - toddrme2178@gmail.com
+
+- Fix source URL.
+
+-------------------------------------------------------------------
+Thu Apr  6 17:49:43 UTC 2017 - toddrme2178@gmail.com
+
+- Update to Version 2.0.0
+  + Backwards incompatible changes
+    * Removed support for Python 2.6. #206
+    * Removed support for Python 3.2. #224
+    * Bleach no longer supports html5lib < 0.99999999 (8 9s).
+    * ``bleach.clean`` and friends were rewrittenped.
+    * ``bleach.clean`` and friends attribute callables now take three arguments:
+      tag, attribute name and attribute value. Previously they only took attribute
+      name and attribute value.
+    * ``bleach.linkify`` was rewritten
+    * ``bleach.linkify`` and friends had a ``skip_pre`` argument--that's been
+      replaced with a more general ``skip_tags`` argument.
+  + Changes
+    * Supports Python 3.6.
+    * Supports html5lib >= 0.99999999 (8 9s).
+    * There's a ``bleach.sanitizer.Cleaner`` class that you can instantiate with your
+      favorite clean settings for easy reuse.
+    * There's a ``bleach.linkifier.Linker`` class that you can instantiate with your
+      favorite linkify settings for easy reuse.
+    * There's a ``bleach.linkifier.LinkifyFilter`` which is an htm5lib filter that
+      you can pass as a filter to ``bleach.sanitizer.Cleaner`` allowing you to clean
+      and linkify in one pass.
+    * ``bleach.clean`` and friends can now take a callable as an attributes arg value.
+    * Tons of bug fixes.
+    * Cleaned up tests.
+    * Documentation fixes.
+- Update to Version 1.5
+  + Backwards incompatible changes
+    * clean: The list of ``ALLOWED_PROTOCOLS`` now defaults to http, https and
+      mailto.
+  + Changes
+    * clean: Added ``protocols`` to arguments list to let you override the list of
+      allowed protocols. Thank you, Andreas Malecki! #149
+    * linkify: Fix a bug involving periods at the end of an email address. Thank you,
+      Lorenz Schori! #219
+    * linkify: Fix linkification of non-ascii ports. Thank you Alexandre, Macabies!
+      #207
+    * linkify: Fix linkify inappropriately removing node tails when dropping nodes.
+      #132
+    * Fixed a test that failed periodically. #161
+    * Switched from nose to py.test. #204
+    * Add test matrix for all supported Python and html5lib versions. #230
+    * Limit to html5lib ``>=0.999,!=0.9999,!=0.99999,<0.99999999`` because 0.9999
+      and 0.99999 are busted.
+    * Add support for ``python setup.py test``. #97
+- Update to Version 1.4.3 (May 23rd, 2016)
+  + Changes
+    * Limit to html5lib ``>=0.999,<0.99999999`` because of impending change to
+      sanitizer api. #195
+- Update to Version 1.4.2
+  + Changes
+    * linkify: Fix hang in linkify with ``parse_email=True``. #124
+    * linkify: Fix crash in linkify when removing a link that is a first-child. #136
+    * Updated TLDs.
+    * linkify: Don't remove exterior brackets when linkifying. #146
+- Implemenet single-spec version
+
+-------------------------------------------------------------------
+Thu Sep  3 14:39:11 UTC 2015 - toddrme2178@gmail.com
+
+- Fix build on SLE 11
+
+-------------------------------------------------------------------
+Fri Aug  7 22:19:47 UTC 2015 - hpj@urpla.net
+
+- eabled checks again: don't know, why they failed in the first place
+
+-------------------------------------------------------------------
+Thu Jul 30 09:34:52 UTC 2015 - hpj@urpla.net
+
+- disabled checks: developer unresponsive
+
+-------------------------------------------------------------------
+Wed Jun 17 18:11:49 UTC 2015 - hpj@urpla.net
+
+- updated to version 1.4.1
+
+-------------------------------------------------------------------
+Mon May 26 22:28:56 UTC 2014 - hpj@urpla.net
+
+- version 1.4: initial build
+
--- a/python-bleach.spec
+++ b/python-bleach.spec
@ -0,0 +1,75 @@
+#
+# spec file for package python-bleach
+#
+# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2015 LISA GmbH, Bingen, Germany.
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%{?sle15_python_module_pythons}
+Name:           python-bleach
+Version:        6.0.0
+Release:        0
+Summary:        A whitelist-based HTML-sanitizing tool
+License:        Apache-2.0
+URL:            https://github.com/jsocol/bleach
+Source:         https://files.pythonhosted.org/packages/source/b/bleach/bleach-%{version}.tar.gz
+Patch0:         de-vendor.patch
+# https://github.com/mozilla/bleach/pull/706
+Patch1:         strip-spaces.patch
+BuildRequires:  %{python_module html5lib >= 1.1}
+BuildRequires:  %{python_module pytest}
+BuildRequires:  %{python_module setuptools}
+BuildRequires:  fdupes
+BuildRequires:  python-rpm-macros
+Requires:       python-html5lib >= 1.1
+BuildArch:      noarch
+%python_subpackages
+
+%description
+Bleach is an HTML sanitation library that escapes or strips markup and
+attributes based on a white list. Bleach can also linkify text safely, applying
+filters that Django's ``urlize`` filter cannot, and optionally setting ``rel``
+attributes, even on links already in the text.
+
+Bleach is intended for sanitizing text from *untrusted* sources.
+
+Because it relies on html5lib, Bleach is as good as modern browsers at dealing
+with weird, quirky HTML fragments. Bleach's methods will fix
+unbalanced or mis-nested tags.
+
+Documentation is at http://bleach.readthedocs.org/ .
+
+%prep
+%autosetup -p1 -n bleach-%{version}
+rm -rf bleach/_vendor
+
+%build
+%python_build
+
+%install
+%python_install
+%python_expand %fdupes %{buildroot}%{$python_sitelib}
+
+%check
+# gh#mozilla/bleach#503
+%pytest -k 'not test_uri_value_allowed_protocols'
+
+%files %{python_files}
+%license LICENSE
+%doc CHANGES README.rst
+%{python_sitelib}/bleach
+%{python_sitelib}/bleach-%{version}*-info
+
+%changelog
--- a/strip-spaces.patch
+++ b/strip-spaces.patch
@ -0,0 +1,22 @@
+Index: bleach-6.0.0/tests/test_parse_shim.py
+===================================================================
+--- bleach-6.0.0.orig/tests/test_parse_shim.py
+++ bleach-6.0.0/tests/test_parse_shim.py
+@@ -48,14 +48,12 @@ class ParseResult:
+             ParseResult(scheme="non-special", netloc=":@test", path="/x"),
+         ),
+         ("http:foo.com", ParseResult(scheme="http", path="foo.com")),
+-        # NOTE(willkg): The wpt tests set the scheme to http becaue that's what
+        # NOTE(willkg): The wpt tests set the scheme to http because that's what
+         # the base url is. Since our parser is not using a baseurl, it sets the
+-        # scheme to "". Further, our parser includes spaces at the beginning,
+-        # but I don't see that as being problematic.
+-        ("\t   :foo.com   \n", ParseResult(path="   :foo.com   ")),
+        # scheme to "".
+         # NOTE(willkg): The wpt tests set the path to "/foo/foo.com" because
+         # the base url is at "/foo"
+-        (" foo.com  ", ParseResult(path=" foo.com  ")),
+        ("foo.com  ", ParseResult(path="foo.com  ")),
+         ("a:\t foo.com", ParseResult(scheme="a", path=" foo.com")),
+         (
+             "http://f:21/ b ? d # e ",