- update to 6.1.0:
* Dropped support for Python 3.7.
* Add support for Python 3.12.
* Fix linkify with arrays in querystring
* Handle more cases with < followed by character data
* Fix entities inside a tags in linkification
* Update cap for tinycss2 to <1.3
* Updated Sphinx requirement
* Add dependabot for github actions and update github actions
- Update to V3.1.1: Security update for CVE-2020-6802
* CVE-2020-6802: Fixed mutation XSS vulnerabilities (bsc#1165303).
OBS-URL: https://build.opensuse.org/request/show/1120892
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-bleach?expand=0&rev=20
* Dropped support for Python 3.7.
* Add support for Python 3.12.
* Fix linkify with arrays in querystring
* Handle more cases with < followed by character data
* Fix entities inside a tags in linkification
* Update cap for tinycss2 to <1.3
* Updated Sphinx requirement
* Add dependabot for github actions and update github actions
- Update to V3.1.1: Security update for CVE-2020-6802
* CVE-2020-6802: Fixed mutation XSS vulnerabilities (bsc#1165303).
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-bleach?expand=0&rev=55
- Update to 6.0.0:
* bleach.clean, bleach.sanitizer.Cleaner,
bleach.html5lib_shim.BleachHTMLParser: the tags and protocols
arguments were changed from lists to sets.
* bleach.linkify, bleach.linkifier.Linker: the skip_tags and
recognized_tags arguments were changed from lists to sets.
* bleach.sanitizer.BleachSanitizerFilter: strip_allowed_elements is
now strip_allowed_tags. We now use “tags” everywhere rather than a
mishmash of “tags” in some places and “elements” in others.
# Bug fixes
* Add support for Python 3.11. (#675)
* Fix API weirness in BleachSanitizerFilter. (#649)
* We’re using “tags” instead of “elements” everywhere–no more weird
overloading of “elements” anymore.
* Also, it no longer calls the superclass constructor.
* Add warning when css_sanitizer isn’t set, but the style attribute
is allowed. (#676)
* Fix linkify handling of character entities. (#501)
* Rework dev dependencies to use requirements-dev.txt and
requirements-flake8.txt instead of extras.
* Fix project infrastructure to be tox-based so it’s easier to have
CI run the same things we’re running in development and with
flake8 in an isolated environment.
* Update action versions in CI.
* Switch to f-strings where possible. Make tests parametrized to be
easier to read/maintain.
OBS-URL: https://build.opensuse.org/request/show/1085516
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-bleach?expand=0&rev=18
* bleach.clean, bleach.sanitizer.Cleaner,
bleach.html5lib_shim.BleachHTMLParser: the tags and protocols
arguments were changed from lists to sets.
* bleach.linkify, bleach.linkifier.Linker: the skip_tags and
recognized_tags arguments were changed from lists to sets.
* bleach.sanitizer.BleachSanitizerFilter: strip_allowed_elements is
now strip_allowed_tags. We now use “tags” everywhere rather than a
mishmash of “tags” in some places and “elements” in others.
# Bug fixes
* Add support for Python 3.11. (#675)
* Fix API weirness in BleachSanitizerFilter. (#649)
* We’re using “tags” instead of “elements” everywhere–no more weird
overloading of “elements” anymore.
* Also, it no longer calls the superclass constructor.
* Add warning when css_sanitizer isn’t set, but the style attribute
is allowed. (#676)
* Fix linkify handling of character entities. (#501)
* Rework dev dependencies to use requirements-dev.txt and
requirements-flake8.txt instead of extras.
* Fix project infrastructure to be tox-based so it’s easier to have
CI run the same things we’re running in development and with
flake8 in an isolated environment.
* Update action versions in CI.
* Switch to f-strings where possible. Make tests parametrized to be
easier to read/maintain.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-bleach?expand=0&rev=51
- Update to 5.0.1:
* Add missing comma to tinycss2 require. Thank you, @shadchin!
* Add url parse tests based on wpt url tests. (#688)
* Support scheme-less urls if "https" is in allow list. (#662)
* Handle escaping ``<`` in edge cases where it doesn't start a tag. (#544)
* Correctly urlencode email address parts. Thank you, @larseggert! (#659)
* ``clean`` and ``linkify`` now preserve the order of HTML attributes.
* Drop support for Python 3.6. Thank you, @hugovk! (#629)
* CSS sanitization in style tags is completely different now.
* Python 3.9 support
* Drop support for unsupported Python versions <3.6. (#520)
* add more tests for CVE-2021-23980 / GHSA-vv2x-vrpj-qqpq
- Refresh de-vendor.patch, and convert to patch level 1
OBS-URL: https://build.opensuse.org/request/show/1006839
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-bleach?expand=0&rev=14
* Add missing comma to tinycss2 require. Thank you, @shadchin!
* Add url parse tests based on wpt url tests. (#688)
* Support scheme-less urls if "https" is in allow list. (#662)
* Handle escaping ``<`` in edge cases where it doesn't start a tag. (#544)
* Correctly urlencode email address parts. Thank you, @larseggert! (#659)
* ``clean`` and ``linkify`` now preserve the order of HTML attributes.
* Drop support for Python 3.6. Thank you, @hugovk! (#629)
* CSS sanitization in style tags is completely different now.
* Python 3.9 support
* Drop support for unsupported Python versions <3.6. (#520)
* add more tests for CVE-2021-23980 / GHSA-vv2x-vrpj-qqpq
- Refresh de-vendor.patch, and convert to patch level 1
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-bleach?expand=0&rev=43
- update to 3.1.4 (bsc#1168280, CVE-2020-6817):
* ``bleach.clean`` behavior parsing style attributes could result in a
regular expression denial of service (ReDoS).
Calls to ``bleach.clean`` with an allowed tag with an allowed
``style`` attribute were vulnerable to ReDoS. For example,
``bleach.clean(..., attributes={'a': ['style']})``.
* Style attributes with dashes, or single or double quoted values are
cleaned instead of passed through.
- update to 3.1.3 (bsc#1167379, CVE-2020-6816):
OBS-URL: https://build.opensuse.org/request/show/790549
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-bleach?expand=0&rev=10
* ``bleach.clean`` behavior parsing style attributes could result in a
regular expression denial of service (ReDoS).
Calls to ``bleach.clean`` with an allowed tag with an allowed
``style`` attribute were vulnerable to ReDoS. For example,
``bleach.clean(..., attributes={'a': ['style']})``.
* Style attributes with dashes, or single or double quoted values are
cleaned instead of passed through.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-bleach?expand=0&rev=35
- update to 3.1.3 (bsc#1167379):
* Add relative link to code of conduct. (#442)
* Drop deprecated 'setup.py test' support. (#507)
* Fix typo: curren -> current in tests/test_clean.py (#504)
* Test on PyPy 7
* Drop test support for end of life Python 3.4
* ``bleach.clean`` behavior parsing embedded MathML and SVG content
with RCDATA tags did not match browser behavior and could result in
a mutation XSS.
Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or
``svg`` tags and one or more of the RCDATA tags ``script``,
``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or
``xmp`` in the allowed tags whitelist were vulnerable to a mutation
XSS.
This security issue was confirmed in Bleach version v3.1.1. Earlier
versions are likely affected too.
OBS-URL: https://build.opensuse.org/request/show/787398
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-bleach?expand=0&rev=9
* Add relative link to code of conduct. (#442)
* Drop deprecated 'setup.py test' support. (#507)
* Fix typo: curren -> current in tests/test_clean.py (#504)
* Test on PyPy 7
* Drop test support for end of life Python 3.4
* ``bleach.clean`` behavior parsing embedded MathML and SVG content
with RCDATA tags did not match browser behavior and could result in
a mutation XSS.
Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or
``svg`` tags and one or more of the RCDATA tags ``script``,
``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or
``xmp`` in the allowed tags whitelist were vulnerable to a mutation
XSS.
This security issue was confirmed in Bleach version v3.1.1. Earlier
versions are likely affected too.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-bleach?expand=0&rev=32
