bleach is deprecated, html5lib unmaintained

[pllim]

As per this announcement (repeated below so one less click for you):

• bleach is deprecated; statement on project going forward (2023-01-23) mozilla/bleach#698

Summary

As of now, Bleach is deprecated.

We will continue to support Bleach:

• security updates
• support for new Python versions
• fixes for egregious bugs

I figure that's one release a year or something like that.

Why?

Bleach sits on top of--and heavily relies on--html5lib which is no longer in active development. It is increasingly difficult to maintain Bleach in that context and I think it's nuts to build a security library on top of a library that's not in active development. There are some options (switch to something else, take over html5lib, etc), I don't particularly like any of them. I think instead, someone new should explore the options with a brand new library and a fresh start.

How does this affect astropy?

From our own installation doc:

• html5lib: To read astropy.table.Table objects from HTML files using the pandas reader.
• bleach: Used to sanitize text when disabling HTML escaping in the astropy.table.Table HTML writer.

Affected code:

astropy/astropy/utils/xml/writer.py

Line 185 in 8d38984

if method == "bleach_clean":

astropy/astropy/io/ascii/html.py

Line 468 in 8d38984

method = "escape_xml" if col_escaped else "bleach_clean"

astropy/astropy/io/ascii/html.py

Line 305 in 8d38984

'html5lib'. html5lib is a highly lenient parser and therefore

astropy/astropy/io/misc/pandas/connect.py

Lines 73 to 74 in 8d38984

	if not _HAS_LXML and _HAS_HTML5LIB and _HAS_BS4:
	read_kwargs["flavor"] = "bs4"

Given both are optional dependencies, I think we can remove them but it would be API change and a lost of some features.

Should we wait and see how this plays out upstream? But how long?