Open kloczek opened 1 year ago
[tkloczko@pers-jacek nbconvert-7.2.9]$ grep bleach -wr *
CHANGELOG.md:- Replace lxml.html.clean_html with bleach; drop lxml dependency by
CHANGELOG.md:- Support bleach 5, add packaging and tinycss2 dependencies by
nbconvert/filters/strings.py:import bleach
nbconvert/filters/strings.py: return bleach.clean(
nbconvert/filters/strings.py: tags=[*bleach.ALLOWED_TAGS, *ALLOWED_SVG_TAGS, "div", "pre", "code", "span"],
nbconvert/filters/strings.py: **bleach.ALLOWED_ATTRIBUTES,
nbconvert/filters/svg_constants.py:# Quoth the migration guide (https://github.com/mozilla/bleach/blob/main/docs/migrating.rst#different-allow-lists):
nbconvert/filters/svg_constants.py:# See https://github.com/mozilla/bleach/issues/362
nbconvert/preprocessors/sanitize.py:from bleach import ALLOWED_ATTRIBUTES, ALLOWED_TAGS, clean
nbconvert/preprocessors/sanitize.py: # bleach[css] >=5.0
nbconvert/preprocessors/sanitize.py: from bleach.css_sanitizer import ALLOWED_CSS_PROPERTIES as ALLOWED_STYLES
nbconvert/preprocessors/sanitize.py: from bleach.css_sanitizer import CSSSanitizer
nbconvert/preprocessors/sanitize.py: # bleach <5
nbconvert/preprocessors/sanitize.py: from bleach import ALLOWED_STYLES # type:ignore
nbconvert/preprocessors/sanitize.py: "Support for bleach <5 will be removed in a future version of nbconvert",
nbconvert/preprocessors/sanitize.py: "The installed bleach/tinycss2 do not provide CSS sanitization, "
nbconvert/preprocessors/sanitize.py: "please upgrade to bleach >=5",
There are some examples of replacing bleach
by nh3
https://github.com/netbox-community/netbox/pull/14767
Unfortunately nh3
does not sanitize css.
So probably only alternative could be lxlm? 🤔 https://github.com/jupyter/nbconvert/issues/1892 Revert https://github.com/jupyter/nbconvert/pull/1854? 🤔
They removed clean_html
from lxml
and stated that it was not safe: https://github.com/fedora-python/lxml_html_clean
OK that could possible migration to? 🤔
If yes maybe I should I try prepare for that by trying package in my distro lxml-html-clean
? 😋
I don't want to switch to something that is explicitly marked as unsafe. Bleach is still getting security releases, I don't see a reason to switch anything at this time.
Sooner or later some replacement needs to be found as more and more other modules are dropping using bleach
.
Quite quickly it will be less and less eyeballs to watch that modules security aspects.
In my distro I have ATM packaged +1.25k python modules as rpm packages. After deprecation announcement number of modules still using bleach
dropped from 12 to 3 in first two weeks.
Now in that small population nbconvert
is only remaining module 🤔
I've stated my position. I'm unsubscribing from this issue.
bleach is deprecated; statement on project going forward (2023-01-23) https://github.com/mozilla/bleach/issues/698