search

stephenmcd / mezzanine

CMS framework for Django
http://mezzanine.jupo.org
BSD 2-Clause "Simplified" License
4.75k stars 1.64k forks source link

[BUG] Bleach 6.0.0 breaks escape method at mezzanine/utils/html.py #2054

Open dbeltra opened 1 year ago

dbeltra commented 1 year ago

Is there an existing issue for this?

Current Behavior

When trying to save a rich text page you get the following error:

TypeError: unsupported operand type(s) for +: 'frozenset' and 'list'

Expected Behavior

The page should be saved without errors

Steps To Reproduce

  1. Install Mezzanine 6.0.0 and bleach 6.0.0
  2. Create a new project and try to save a page

Environment

* Mezzanine 6.0.0
* Django 4.1.7
* Python 3.8.13
* SQLite 3.38.5
* Darwin 21.4.0

Anything else?

On the latest bleach release, ALLOWED_PROTOCOLS has been changed from list to a frozenset, this is the specific commit: https://github.com/mozilla/bleach/commit/29231a10eb983e25b59c8edc5b6abcb12dbaaabe

This makes this code (https://github.com/stephenmcd/mezzanine/blob/master/mezzanine/utils/html.py#L113) crash: protocols=ALLOWED_PROTOCOLS + ["tel"] since lists and frozensets can't be added

Downgrading to bleach==5.0.1 fixes the issue.

Dziugas commented 1 year ago

Yup, ran into this one too.

andr0s commented 1 year ago

Yep same

LordVan commented 1 year ago

I just changed line 113 to this and it seems to work so far: protocols=list(ALLOWED_PROTOCOLS) + ["tel"],