Changelog History
Page 2
-
v3.1.5 Changes
April 29, 2020๐ Security fixes
None
๐ Features
None
๐ Bug fixes
- replace missing
setuptools
dependency withpackaging
. Thank you Benjamin Peterson.
- replace missing
-
v3.1.4 Changes
March 24, 2020๐ Security fixes
- ๐
bleach.clean
behavior parsing style attributes could result in a regular expression denial of service (ReDoS).
Calls to
bleach.clean
with an allowed tag with an allowedstyle
attribute were vulnerable to ReDoS. For example,bleach.clean(..., attributes={'a': ['style']})
.This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1, v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar regular expression and should be considered vulnerable too.
Anyone using Bleach <=v3.1.3 is encouraged to upgrade.
https://bugzilla.mozilla.org/show_bug.cgi?id=1623633
Backwards incompatible changes
- ๐ Style attributes with dashes, or single or double quoted values are cleaned instead of passed through.
๐ Features
None
๐ Bug fixes
None
- ๐
-
v3.1.3 Changes
March 17, 2020๐ Security fixes
None
Backwards incompatible changes
โฌ๏ธ Drop support for Python 3.4. Thank you, @hugovk!
โฌ๏ธ Drop deprecated
setup.py test
support. Thank you, @jdufresne! (#507)
๐ Features
โ Add support for Python 3.8. Thank you, @jdufresne!
โ Add support for PyPy 7. Thank you, @hugovk!
โ Add pypy3 testing to tox and travis. Thank you, @jdufresne!
๐ Bug fixes
โ Add relative link to code of conduct. (#442)
๐ Fix typo: curren -> current in tests/test_clean.py Thank you, timgates42! (#504)
๐ Fix handling of non-ascii style attributes. Thank you, @sekineh! (#426)
๐ง Simplify tox configuration. Thank you, @jdufresne!
๐ Make documentation reproducible. Thank you, @lamby!
๐ Fix typos in code comments. Thank you, @zborboa-g!
๐ Fix exception value testing. Thank you, @mastizada!
๐ Fix parser-tags NoneType exception. Thank you, @bope!
๐ Improve TLD support in linkify. Thank you, @pc-coholic!
-
v3.1.2 Changes
March 17, 2020๐ Security fixes
- ๐
bleach.clean
behavior parsing embedded MathML and SVG content with RCDATA tags did not match browser behavior and could result in a mutation XSS.
Calls to
bleach.clean
withstrip=False
andmath
orsvg
tags and one or more of the RCDATA tagsscript
,noscript
,style
,noframes
,iframe
,noembed
, orxmp
in the allowed tags whitelist were vulnerable to a mutation XSS.This security issue was confirmed in Bleach version v3.1.1. Earlier versions are likely affected too.
Anyone using Bleach <=v3.1.1 is encouraged to upgrade.
https://bugzilla.mozilla.org/show_bug.cgi?id=1621692
Backwards incompatible changes
None
๐ Features
None
๐ Bug fixes
None
- ๐
-
v3.1.1 Changes
February 13, 2020๐ Security fixes
- ๐
bleach.clean
behavior parsingnoscript
tags did not match browser behavior.
Calls to
bleach.clean
allowingnoscript
and one or more of the raw text tags (title
,textarea
,script
,style
,noembed
,noframes
,iframe
, andxmp
) were vulnerable to a mutation XSS.This security issue was confirmed in Bleach versions v2.1.4, v3.0.2, and v3.1.0. Earlier versions are probably affected too.
Anyone using Bleach <=v3.1.0 is highly encouraged to upgrade.
https://bugzilla.mozilla.org/show_bug.cgi?id=1615315
Backwards incompatible changes
None
๐ Features
None
๐ Bug fixes
None
Bleach changes
- ๐
-
v3.1.0 Changes
January 09, 2019๐ Security fixes
None
Backwards incompatible changes
None
๐ Features
- โ Add
recognized_tags
argument to the linkifyLinker
class. This fixes issues when linkifying on its own and having some tags get escaped. It defaults to a list of HTML5 tags. Thank you, Chad Birch! (#409)
๐ Bug fixes
โ Add
six>=1.9
to requirements. Thank you, Dave Shawley (#416)๐ Fix cases where attribute names could have invalid characters in them. (#419)
๐ Fix problems with
LinkifyFilter
not being able to match links across&
. (#422)๐ Fix
InputStreamWithMemory
when theBleachHTMLParser
is parsingmeta
tags. (#431)๐ Fix doctests. (#357)
- โ Add
-
v3.0.2 Changes
October 11, 2018๐ Security fixes
None
Backwards incompatible changes
None
๐ Features
None
๐ Bug fixes
- ๐ Merge
Characters
tokens after sanitizing them. This fixes issues in theLinkifyFilter
where it was only linkifying parts of urls. (#374)
- ๐ Merge
-
v3.0.1 Changes
October 09, 2018๐ Security fixes
None
Backwards incompatible changes
None
๐ Features
- ๐ Support Python 3.7. It supported Python 3.7 just fine, but we added 3.7 to the list of Python environments we test so this is now officially supported. (#377)
๐ Bug fixes
- ๐ Fix
list
object has no attributelower
inclean
. (#398) - ๐ Fix
abbr
getting escaped inlinkify
. (#400)
-
v3.0.0 Changes
October 03, 2018๐ Security fixes
None
Backwards incompatible changes
- ๐ A bunch of functions were moved from one module to another.
These were moved from
bleach.sanitizer
tobleach.html5lib_shim
:convert_entity
convert_entities
match_entity
next_possible_entity
BleachHTMLSerializer
BleachHTMLTokenizer
BleachHTMLParser
These functions and classes weren't documented and aren't part of the public API, but people read code and might be using them so we're considering it an incompatible API change.
If you're using them, you'll need to update your code.
๐ Features
- Bleach no longer depends on html5lib. html5lib==1.0.1 is now vendored into Bleach. You can remove it from your requirements file if none of your other requirements require html5lib.
This means Bleach will now work fine with other libraries that depend on html5lib regardless of what version of html5lib they require. (#386)
๐ Bug fixes
๐ Fixed tags getting added when using clean or linkify. This was a long-standing regression from the Bleach 2.0 rewrite. (#280, #392)
๐ Fixed
<isindex>
getting replaced with a string. Now it gets escaped or stripped depending on whether it's in the allowed tags or not. (#279)
-
v2.1.4 Changes
August 16, 2018๐ Security fixes
None
Backwards incompatible changes
- โฌ๏ธ Dropped support for Python 3.3. (#328)
๐ Features
None
๐ Bug fixes
- ๐ Handle ambiguous ampersands in correctly. (#359)