DeprecationWarning: html5lib's sanitizer is deprecated

django-cms / djangocms-text-ckeditor

Text Plugin for django CMS using CKEditor 4

https://www.django-cms.org/en/repositories-plugins/

BSD 3-Clause "New" or "Revised" License

164 stars 186 forks source link

DeprecationWarning: html5lib's sanitizer is deprecated #632

Open Gpapidas opened 1 year ago

Gpapidas commented 1 year ago

Hello everyone,

I noticed that djangocms-text-ckeditor is requiring html5lib package which has a deprecated sanitizer. html5lib recommends switching to bleach

Is this something known? Will there be a fix in a next version?

mbi commented 1 year ago

(Resuming discussion from #469)

After a first brief analysis, this looks considerably more complicated than simply swapping one function call to html5lib with another to bleach. Although bleach itself relies on html5lib, they have a significantly different API.

bleach itself uses html5lib at the moment but is considering forking it for much the same reasons.

Finally, html5lib seems to be used in several places throughout the plugin code, not just for sanitizing. It's unclear to me on whether you'd expect to entirely remove html5lib, or just the sanitizing portions?

All in all, maybe it'd be saner to wait for a decision from the bleach team on how they wish to handle html5lib and then either use their fork (if any is produced) or mimic / adapt what they'll chose to do.

fsbraun commented 1 year ago

@mbi Thanks so much for the analysis. I was not aware of the discussion to fork html5lib.

Since (for now at least) bleach depends on html5lib we could not remove the html5lib dependency anyway and I was expecting to keep both dependencies.

@marksweb What do you think?

marksweb commented 1 year ago

@fsbraun @mbi I'm happy to wait on a decision.

It'll also then help me consider changes I need to make to django-bleach 😂

mbi commented 1 year ago

Haven't tested it, and can't vouch for its security or capabilities, but html-sanitizer seems like a well-tested and well-supported alternative that doesn't use html5lib.

gs1-rob-392 commented 1 year ago

bleach is deprecated: https://github.com/mozilla/bleach/issues/698

stale[bot] commented 12 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

mavoIn commented 9 months ago

https://ckeditor.com/docs/ckeditor5/latest/updating/ckeditor4/migration-from-ckeditor-4.html

end of life for ckeditor v4 was in June 23.

corentinbettiol commented 9 months ago

We need to remove html5lib and use html-sanitizer instead.

MacLake commented 9 months ago

When checking out the deprecation messages of my djangoCMS project, I noticed that djangocms-text-ckeditor still uses html5lib, so I ended up here.

In an issue on the bleach project, switching to nh3 is recommended, nh3 provides Python bindings to the Rust project ammonia (took some time to notice that NH_3 is the chemical formula of ammonia). I’ve been using it for a while without any problems. The only thing is: You can’t sanitize CSS selectively. But it seems that html-sanitizer doesn’t allow any inline styles at all. Anyway, that would be another option instead of using html-sanitizer.

stale[bot] commented 6 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

MacLake commented 6 months ago

This is the activity bot, the counterpart of the stale bot, reminding that this issue is still relevant!