search

jupyter / nbconvert

Jupyter Notebook Conversion
https://nbconvert.readthedocs.io/
BSD 3-Clause "New" or "Revised" License
1.72k stars 563 forks source link

RFE: drop use `bleach` as this module s marked as deprecated #1952

Open kloczek opened 1 year ago

kloczek commented 1 year ago

bleach is deprecated; statement on project going forward (2023-01-23) https://github.com/mozilla/bleach/issues/698

kloczek commented 1 year ago 
[tkloczko@pers-jacek nbconvert-7.2.9]$ grep bleach -wr *
CHANGELOG.md:- Replace lxml.html.clean_html with bleach; drop lxml dependency by
CHANGELOG.md:- Support bleach 5, add packaging and tinycss2 dependencies by
nbconvert/filters/strings.py:import bleach
nbconvert/filters/strings.py:    return bleach.clean(
nbconvert/filters/strings.py:        tags=[*bleach.ALLOWED_TAGS, *ALLOWED_SVG_TAGS, "div", "pre", "code", "span"],
nbconvert/filters/strings.py:            **bleach.ALLOWED_ATTRIBUTES,
nbconvert/filters/svg_constants.py:# Quoth the migration guide (https://github.com/mozilla/bleach/blob/main/docs/migrating.rst#different-allow-lists):
nbconvert/filters/svg_constants.py:#       See https://github.com/mozilla/bleach/issues/362
nbconvert/preprocessors/sanitize.py:from bleach import ALLOWED_ATTRIBUTES, ALLOWED_TAGS, clean
nbconvert/preprocessors/sanitize.py:    # bleach[css] >=5.0
nbconvert/preprocessors/sanitize.py:    from bleach.css_sanitizer import ALLOWED_CSS_PROPERTIES as ALLOWED_STYLES
nbconvert/preprocessors/sanitize.py:    from bleach.css_sanitizer import CSSSanitizer
nbconvert/preprocessors/sanitize.py:        # bleach <5
nbconvert/preprocessors/sanitize.py:        from bleach import ALLOWED_STYLES  # type:ignore
nbconvert/preprocessors/sanitize.py:            "Support for bleach <5 will be removed in a future version of nbconvert",
nbconvert/preprocessors/sanitize.py:            "The installed bleach/tinycss2 do not provide CSS sanitization, "
nbconvert/preprocessors/sanitize.py:            "please upgrade to bleach >=5",
kloczek commented 5 months ago

There are some examples of replacing bleach by nh3 https://github.com/netbox-community/netbox/pull/14767

blink1073 commented 5 months ago

Unfortunately nh3 does not sanitize css.

kloczek commented 5 months ago

So probably only alternative could be lxlm? 🤔 https://github.com/jupyter/nbconvert/issues/1892 Revert https://github.com/jupyter/nbconvert/pull/1854? 🤔

blink1073 commented 5 months ago

They removed clean_html from lxml and stated that it was not safe: https://github.com/fedora-python/lxml_html_clean

kloczek commented 5 months ago

OK that could possible migration to? 🤔 If yes maybe I should I try prepare for that by trying package in my distro lxml-html-clean? 😋

blink1073 commented 5 months ago

I don't want to switch to something that is explicitly marked as unsafe. Bleach is still getting security releases, I don't see a reason to switch anything at this time.

kloczek commented 5 months ago

Sooner or later some replacement needs to be found as more and more other modules are dropping using bleach. Quite quickly it will be less and less eyeballs to watch that modules security aspects. In my distro I have ATM packaged +1.25k python modules as rpm packages. After deprecation announcement number of modules still using bleach dropped from 12 to 3 in first two weeks. Now in that small population nbconvert is only remaining module 🤔

blink1073 commented 5 months ago

I've stated my position. I'm unsubscribing from this issue.