Skip to content

Update bleach to 3.1.5 #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update bleach to 3.1.5 #49

wants to merge 1 commit into from

Conversation

pyup-bot
Copy link
Collaborator

This PR updates bleach from 3.1.0 to 3.1.5.

Changelog

3.1.5

--------------------------------

**Security fixes**

None

**Features**

None

**Bug fixes**

* replace missing ``setuptools`` dependency with ``packaging``. Thank you Benjamin Peterson.

3.1.4

--------------------------------

**Security fixes**

* ``bleach.clean`` behavior parsing style attributes could result in a
regular expression denial of service (ReDoS).

Calls to ``bleach.clean`` with an allowed tag with an allowed
``style`` attribute were vulnerable to ReDoS. For example,
``bleach.clean(..., attributes={'a': ['style']})``.

This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1,
v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar
regular expression and should be considered vulnerable too.

Anyone using Bleach <=v3.1.3 is encouraged to upgrade.

https://bugzilla.mozilla.org/show_bug.cgi?id=1623633

**Backwards incompatible changes**

* Style attributes with dashes, or single or double quoted values are
cleaned instead of passed through.

**Features**

None

**Bug fixes**

None

3.1.3

--------------------------------

**Security fixes**

None

**Backwards incompatible changes**

None

**Features**

* Add relative link to code of conduct. (442)

* Drop deprecated 'setup.py test' support. (507)

* Fix typo: curren -> current in tests/test_clean.py (504)

* Test on PyPy 7

* Drop test support for end of life Python 3.4

**Bug fixes**

None

3.1.2

--------------------------------

**Security fixes**

* ``bleach.clean`` behavior parsing embedded MathML and SVG content
with RCDATA tags did not match browser behavior and could result in
a mutation XSS.

Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or
``svg`` tags and one or more of the RCDATA tags ``script``,
``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or
``xmp`` in the allowed tags whitelist were vulnerable to a mutation
XSS.

This security issue was confirmed in Bleach version v3.1.1. Earlier
versions are likely affected too.

Anyone using Bleach <=v3.1.1 is encouraged to upgrade.

https://bugzilla.mozilla.org/show_bug.cgi?id=1621692

**Backwards incompatible changes**

None

**Features**

None

**Bug fixes**

None

3.1.1

-----------------------------------

**Security fixes**

* ``bleach.clean`` behavior parsing ``noscript`` tags did not match
browser behavior.

Calls to ``bleach.clean`` allowing ``noscript`` and one or more of
the raw text tags (``title``, ``textarea``, ``script``, ``style``,
``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable
to a mutation XSS.

This security issue was confirmed in Bleach versions v2.1.4, v3.0.2,
and v3.1.0. Earlier versions are probably affected too.

Anyone using Bleach <=v3.1.0 is highly encouraged to upgrade.

https://bugzilla.mozilla.org/show_bug.cgi?id=1615315

**Backwards incompatible changes**

None

**Features**

None

**Bug fixes**

None

Bleach changes
==============
Links

@pyup-bot pyup-bot mentioned this pull request Apr 29, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@pyup-bot