All Versions
44
Latest Version
Avg Release Cycle
75 days
Latest Release
829 days ago

Changelog History
Page 2

  • v3.1.5 Changes

    April 29, 2020

    ๐Ÿ”’ Security fixes

    None

    ๐Ÿ”‹ Features

    None

    ๐Ÿ› Bug fixes

    • replace missing setuptools dependency with packaging. Thank you Benjamin Peterson.
  • v3.1.4 Changes

    March 24, 2020

    ๐Ÿ”’ Security fixes

    • ๐Ÿ’… bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS).

    Calls to bleach.clean with an allowed tag with an allowed style attribute were vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).

    This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1, v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar regular expression and should be considered vulnerable too.

    Anyone using Bleach <=v3.1.3 is encouraged to upgrade.

    https://bugzilla.mozilla.org/show_bug.cgi?id=1623633

    Backwards incompatible changes

    • ๐Ÿ’… Style attributes with dashes, or single or double quoted values are cleaned instead of passed through.

    ๐Ÿ”‹ Features

    None

    ๐Ÿ› Bug fixes

    None

  • v3.1.3 Changes

    March 17, 2020

    ๐Ÿ”’ Security fixes

    None

    Backwards incompatible changes

    • โฌ‡๏ธ Drop support for Python 3.4. Thank you, @hugovk!

    • โฌ‡๏ธ Drop deprecated setup.py test support. Thank you, @jdufresne! (#507)

    ๐Ÿ”‹ Features

    • โž• Add support for Python 3.8. Thank you, @jdufresne!

    • โž• Add support for PyPy 7. Thank you, @hugovk!

    • โž• Add pypy3 testing to tox and travis. Thank you, @jdufresne!

    ๐Ÿ› Bug fixes

    • โž• Add relative link to code of conduct. (#442)

    • ๐Ÿ›  Fix typo: curren -> current in tests/test_clean.py Thank you, timgates42! (#504)

    • ๐Ÿ›  Fix handling of non-ascii style attributes. Thank you, @sekineh! (#426)

    • ๐Ÿ”ง Simplify tox configuration. Thank you, @jdufresne!

    • ๐Ÿ“š Make documentation reproducible. Thank you, @lamby!

    • ๐Ÿ›  Fix typos in code comments. Thank you, @zborboa-g!

    • ๐Ÿ›  Fix exception value testing. Thank you, @mastizada!

    • ๐Ÿ›  Fix parser-tags NoneType exception. Thank you, @bope!

    • ๐Ÿ‘Œ Improve TLD support in linkify. Thank you, @pc-coholic!

  • v3.1.2 Changes

    March 17, 2020

    ๐Ÿ”’ Security fixes

    • ๐Ÿ“œ bleach.clean behavior parsing embedded MathML and SVG content with RCDATA tags did not match browser behavior and could result in a mutation XSS.

    Calls to bleach.clean with strip=False and math or svg tags and one or more of the RCDATA tags script, noscript, style, noframes, iframe, noembed, or xmp in the allowed tags whitelist were vulnerable to a mutation XSS.

    This security issue was confirmed in Bleach version v3.1.1. Earlier versions are likely affected too.

    Anyone using Bleach <=v3.1.1 is encouraged to upgrade.

    https://bugzilla.mozilla.org/show_bug.cgi?id=1621692

    Backwards incompatible changes

    None

    ๐Ÿ”‹ Features

    None

    ๐Ÿ› Bug fixes

    None

  • v3.1.1 Changes

    February 13, 2020

    ๐Ÿ”’ Security fixes

    • ๐Ÿ“œ bleach.clean behavior parsing noscript tags did not match browser behavior.

    Calls to bleach.clean allowing noscript and one or more of the raw text tags (title, textarea, script, style, noembed, noframes, iframe, and xmp) were vulnerable to a mutation XSS.

    This security issue was confirmed in Bleach versions v2.1.4, v3.0.2, and v3.1.0. Earlier versions are probably affected too.

    Anyone using Bleach <=v3.1.0 is highly encouraged to upgrade.

    https://bugzilla.mozilla.org/show_bug.cgi?id=1615315

    Backwards incompatible changes

    None

    ๐Ÿ”‹ Features

    None

    ๐Ÿ› Bug fixes

    None

    Bleach changes

  • v3.1.0 Changes

    January 09, 2019

    ๐Ÿ”’ Security fixes

    None

    Backwards incompatible changes

    None

    ๐Ÿ”‹ Features

    • โž• Add recognized_tags argument to the linkify Linker class. This fixes issues when linkifying on its own and having some tags get escaped. It defaults to a list of HTML5 tags. Thank you, Chad Birch! (#409)

    ๐Ÿ› Bug fixes

    • โž• Add six>=1.9 to requirements. Thank you, Dave Shawley (#416)

    • ๐Ÿ›  Fix cases where attribute names could have invalid characters in them. (#419)

    • ๐Ÿ›  Fix problems with LinkifyFilter not being able to match links across &amp;. (#422)

    • ๐Ÿ›  Fix InputStreamWithMemory when the BleachHTMLParser is parsing meta tags. (#431)

    • ๐Ÿ›  Fix doctests. (#357)

  • v3.0.2 Changes

    October 11, 2018

    ๐Ÿ”’ Security fixes

    None

    Backwards incompatible changes

    None

    ๐Ÿ”‹ Features

    None

    ๐Ÿ› Bug fixes

    • ๐Ÿ”€ Merge Characters tokens after sanitizing them. This fixes issues in the LinkifyFilter where it was only linkifying parts of urls. (#374)
  • v3.0.1 Changes

    October 09, 2018

    ๐Ÿ”’ Security fixes

    None

    Backwards incompatible changes

    None

    ๐Ÿ”‹ Features

    • ๐Ÿ‘Œ Support Python 3.7. It supported Python 3.7 just fine, but we added 3.7 to the list of Python environments we test so this is now officially supported. (#377)

    ๐Ÿ› Bug fixes

    • ๐Ÿ›  Fix list object has no attribute lower in clean. (#398)
    • ๐Ÿ›  Fix abbr getting escaped in linkify. (#400)
  • v3.0.0 Changes

    October 03, 2018

    ๐Ÿ”’ Security fixes

    None

    Backwards incompatible changes

    • ๐Ÿšš A bunch of functions were moved from one module to another.

    These were moved from bleach.sanitizer to bleach.html5lib_shim:

    • convert_entity
    • convert_entities
    • match_entity
    • next_possible_entity
    • BleachHTMLSerializer
    • BleachHTMLTokenizer
    • BleachHTMLParser

    These functions and classes weren't documented and aren't part of the public API, but people read code and might be using them so we're considering it an incompatible API change.

    If you're using them, you'll need to update your code.

    ๐Ÿ”‹ Features

    • Bleach no longer depends on html5lib. html5lib==1.0.1 is now vendored into Bleach. You can remove it from your requirements file if none of your other requirements require html5lib.

    This means Bleach will now work fine with other libraries that depend on html5lib regardless of what version of html5lib they require. (#386)

    ๐Ÿ› Bug fixes

    • ๐Ÿ›  Fixed tags getting added when using clean or linkify. This was a long-standing regression from the Bleach 2.0 rewrite. (#280, #392)

    • ๐Ÿ›  Fixed <isindex> getting replaced with a string. Now it gets escaped or stripped depending on whether it's in the allowed tags or not. (#279)

  • v2.1.4 Changes

    August 16, 2018

    ๐Ÿ”’ Security fixes

    None

    Backwards incompatible changes

    • โฌ‡๏ธ Dropped support for Python 3.3. (#328)

    ๐Ÿ”‹ Features

    None

    ๐Ÿ› Bug fixes

    • ๐Ÿ– Handle ambiguous ampersands in correctly. (#359)