bleach is deprecated; statement on project going forward (2023-01-23) #698
Comments
|
Thank you for all your work on Bleach, and for announcing this clearly and with plenty of notice! |
|
Hi @willkg , If not, I'm struggling finding a suitable replacement for bleach to be honest. Does someone have recommendations to safely sanitize html user input? Cheers! |
ammonia has a python binder you can use with similar features + faster speeds |
|
Thank you, @willkg, for your stewardship of Bleach for so long—much longer than I had it or than I bet you expected to 😅 And thank you to all of the other contributors over the past dozen years. It's still amazing to me to see how much this project spread and influenced other libraries. nh3/ammonia look like fantastic, fast alternatives built on a rock solid foundation in html5ever. |
|
Update: I just pushed out Bleach 6.1.0 which drops Python 3.7 support, picks up Python 3.12 support, and fixes a handful of issues. I also closed out a lot of old issues and issues for things we're not going to fix. I will continue fixing security issues as they come up. Barring anything exciting, I'll probably do the next release when Python releases 3.13. |
|
@willkg Could this library or html5lib-python benefit from any "lifting efforts" as provided by Tidelift? E.g. https://tidelift.com/subscription/pkg/pypi-pillow. I am potentially looking for something new to "lift"… thanks for any info or guidance towards where to put my efforts. |
Corrector is currently using slow and deprecated (mozilla/bleach#698) bleach. Based on the fact that X-Road metrics should not contain HTML it would be more beneficial to just use python translate method and replace potentially dangerous HTML characters. Translate does not parse html and estimated to be 100 times faster than bleach. Using translate method instead of bleach.clean. Renaming sanitise -> sanitize to be consistent with the rest of the code.
|
As of January 2024 there have been 3 commits to the htlm5lib repo: https://github.com/html5lib/html5lib-python/commits/master/ The html5lib is not entirely dead |
|
FWIW, I tried nh3 as a replacement and found it to be unusable. I reported one issue here, but I've also found others that are at least as severe and probably much harder to fix: There also don't seem to be any Python libraries for linkifying HTML documents, only markdown. I understand why maintaining this library is problematic, but the functionality it provides is essential and there doesn't seem to be any viable replacement right now for either sanitization or linkification. I don't know what the right answer is, but wanted to share my experience since I've now put a few hours into trying to find a viable replacement for each set of functionality. |
|
|
|
As @Alex3917 mentions, I've also tried implementing nh3 and the allowlists for tags and attributes does not work as described by the doucmentation for anyone who also may stumble into this problem |
Summary
As of now, Bleach is deprecated.
We will continue to support Bleach:
I figure that's one release a year or something like that.
Why?
Bleach sits on top of--and heavily relies on--html5lib which is no longer in active development. It is increasingly difficult to maintain Bleach in that context and I think it's nuts to build a security library on top of a library that's not in active development. There are some options (switch to something else, take over html5lib, etc), I don't particularly like any of them. I think instead, someone new should explore the options with a brand new library and a fresh start.
The text was updated successfully, but these errors were encountered: