weixin_39626369
weixin_39626369
2020-11-28 00:43

Upgrade bleach>=2.1

There seems to be security issues in the major bleach release, but also there seems to be backwards incompatible stuff.

该提问来源于开源项目:django-wiki/django-wiki

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

10条回答

  • weixin_39712016 weixin_39712016 5月前

    Any progress on this? or maybe you need some help?

    点赞 评论 复制链接分享
  • weixin_39626369 weixin_39626369 5月前

    -partizan would love some help on this!

    点赞 评论 复制链接分享
  • weixin_39712016 weixin_39712016 5月前

    Maybe even drop bleach alltogether? and replace with https://github.com/matthiask/html-sanitizer, or something else?

    I'm trying to upgrade my project to python3, and bleach uses pinned dependency on html5lib with version incompatible with latest xhtml2pdf.

    点赞 评论 复制链接分享
  • weixin_39626369 weixin_39626369 5月前

    From HTML Sanitizer's description:

    HTML sanitizer goes further than e.g. bleach in that it not only ensures that content is safe and tags and attributes conform to a given whitelist, but also applies additional transforms to HTML fragments.

    I don't think we need this?

    It would be a bit over the top to replace bleach without any reason. It's a widely supported and used library, so I trust it for the longer term.

    I'm trying to upgrade my project to python3, and bleach uses pinned dependency on html5lib with version incompatible with latest xhtml2pdf.

    Oh I didn't know that.. a work-around is to pin the html5lib dependency in your project's requirements.txt. I don't know for what purpose bleach has pinned it, but reusable apps should not pin versions unless they really need to.

    点赞 评论 复制链接分享
  • weixin_39712016 weixin_39712016 5月前

    Yeah, probably html-sanitizer is a bit overkill.

    I looked at issues at bleach, and found this https://github.com/mozilla/bleach/issues/255 They was thinking about replacing html5lib, but looks like it not gone too far.

    Updating bleach here would fix my incompatibility, so i'll take a look. What do i need to know before i start?

    点赞 评论 复制链接分享
  • weixin_39626369 weixin_39626369 5月前

    -partizan

    For the upgrade, it's very important that configuration options aren't changed. I don't think that they will change.

    Other than that, coverage is reasonably high.. so I would think it works when the tests say so :)

    点赞 评论 复制链接分享
  • weixin_39712016 weixin_39712016 5月前

    Updated bleach, but looks like now they removing tags from strings like </html>only_this, instead of escaping. So, one test fails.

    What should we do? I think bleach is correct in this case, and it's better to fix test to expect only_this.

    点赞 评论 复制链接分享
  • weixin_39626369 weixin_39626369 5月前

    -partizan if you open a PR for your changes, you will see results of automated tests etc :)

    点赞 评论 复制链接分享
  • weixin_39712016 weixin_39712016 5月前

    Done)

    点赞 评论 复制链接分享
  • weixin_39626369 weixin_39626369 5月前

    Fixed in #860 - thanks -partizan !!

    点赞 评论 复制链接分享

相关推荐