bug: Bleach should escape unclosed less than sign and render it instead of treating it as unclosed html.

[hoIIer]

bleach.clean(text) thinks less than sign without a closing greater than sign is html and clears it from output.

"a < b" -> "a &lt; b"
"a<b" -> "a"

Bleach should escape unclosed less than sign and render as "a&lt;b" or offer an option to do so.

• Python Version: [e.g. 3.8.2]
• Bleach Version: [e.g. 3.2.1]

bleach.clean('a<b')

[g-k]

Huh, yeah "a<b" -> "a" is a bug or regression.

Bleach should escape unclosed less than sign and render as "a<b" or offer an option to do so.

Bleach should escape it to avoid dangling markup attacks https://portswigger.net/web-security/cross-site-scripting/dangling-markup

[soujanyat]

Have a similar use case where bleach escape greater than or less than sign for the value comparison.

example: 10 > 5
bleach.clean('10 > 5')
u'10 > 5'

Since it is a comparison Html escape shouldn't happen. How to handle such use cases in bleach.clean()

[Id3aFly]

I also have this problem, when my string contains e.g. "Related to all items <G1"
bleach.clean('related to all items <G1') = 'related to all items '
This affects all strings with an unclosed < followed by an alphabetic char.

However, this does not happen for

• greater than symbols: bleach.clean('related to all items >G1') = 'related to all items >G1'
• digits: bleach.clean('related to all items <1') = 'related to all items &lt;1'
• if there is a space: bleach.clean('related to all items < G1') = 'related to all items &lt; G1'

[willkg]

This was fixed in 5.0.1 and is a dupe of issue #544.