Bleach 6.4.0 — final release with security fixes

CHANGES

@@ -4,13 +4,39 @@ Bleach changes
 Version 6.4.0 (TBD)
 -------------------
 
+**NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future
+releases including for security issues.**
+See issue: `<https://github.com/mozilla/bleach/issues/698>`__
+
 **Backwards incompatible changes**
 
 * Dropped support for pypy 3.10. (#764)
 
 **Security fixes**
 
-None
+* Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.
+
+  Fix XSS issue with sanitize_uri_value where disallowed schemes with
+  Unicode invisible characters wouldn't be rejected.
+
+  For example::
+
+    import bleach
+    payload1 = '<a href="javascript\u200b:alert(document.cookie)">Click</a>'
+    result1 = bleach.clean(payload1)
+    print(repr(result1))
+
+  outputs::
+
+    '<a href="javascript\u200b:alert(document.cookie)">Click</a>'
+
+  See the advisory for details.
+
+* Fix GHSA-gj48-438w-jh9v.
+
+  Fix issue where URI sanitization wasn't happening in formaction attributes.
+
+  See the advisory for details.
 
 **Bug fixes**
 

CONTRIBUTING.rst

@@ -1,19 +1,6 @@
-Reporting Bugs
-==============
+Status
+======
 
-For regular bugs, please report them `in our issue tracker
-<https://github.com/mozilla/bleach/issues>`_.
-
-
-Reporting security bugs
------------------------
-
-If you believe that you've found a security vulnerability, please `file a secure
-bug report in our bug tracker
-<https://bugzilla.mozilla.org/enter_bug.cgi?product=Webtools&component=Bleach-security&groups=webtools-security>`_
-or send an email to *security AT mozilla DOT org*.
-
-For more information on security-related bug disclosure and the PGP key to use
-for sending encrypted mail or to verify responses received from that address,
-please read our wiki page at
-`<https://www.mozilla.org/en-US/security/#For_Developers>`_.
+**NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future
+releases including for security issues.**
+See issue: https://github.com/mozilla/bleach/issues/698

CONTRIBUTORS

@@ -1,18 +1,21 @@
+**NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future
+releases including for security issues.**
+See issue: https://github.com/mozilla/bleach/issues/698
+
 Bleach was originally written and maintained by James Socol and various
 contributors within and without the Mozilla Corporation and Foundation.
 
-It is currently maintained by Will Kahn-Greene, Greg Guthe, and Jon Dufresne.
-
 Maintainers:
 
-- Will Kahn-Greene <willkg@mozilla.com>
-- Greg Guthe <gguthe@mozilla.com>
-- Jon Dufresne <jon.dufresne@gmail.com>
+None
 
 Maintainer emeritus:
 
 - Jannis Leidel <jleidel@mozilla.com>
 - James Socol <me@jamessocol.com>
+- Greg Guthe <gguthe@mozilla.com>
+- Jon Dufresne <jon.dufresne@gmail.com>
+- Will Kahn-Greene <willkg@mozilla.com>
 
 Contributors:
 

README.rst

@@ -2,17 +2,9 @@
 Bleach
 ======
 
-.. image:: https://github.com/mozilla/bleach/workflows/Test/badge.svg
-   :target: https://github.com/mozilla/bleach/actions?query=workflow%3ATest
-
-.. image:: https://github.com/mozilla/bleach/workflows/Lint/badge.svg
-   :target: https://github.com/mozilla/bleach/actions?query=workflow%3ALint
-
-.. image:: https://badge.fury.io/py/bleach.svg
-   :target: http://badge.fury.io/py/bleach
-
-**NOTE: 2023-01-23: Bleach is deprecated.** See issue:
-`<https://github.com/mozilla/bleach/issues/698>`__
+**NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future
+releases including for security issues.**
+See issue: `<https://github.com/mozilla/bleach/issues/698>`__
 
 Bleach is an allowed-list-based HTML sanitizing library that escapes or strips
 markup and attributes.

SECURITY.md

@@ -1,20 +1,5 @@
 # Security Policy
 
-## Supported Versions
-
-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
-
-| Version | Supported          |
-| ------- | ------------------ |
-| 4.1.x   | :white_check_mark: |
-| < 4     | :x:                |
-
-## Reporting a Vulnerability
-
-If you believe that you've found a security vulnerability, please [file a secure
-bug report in our bug tracker](https://bugzilla.mozilla.org/enter_bug.cgi?assigned_to=nobody%40mozilla.org&product=Webtools&component=Bleach-security&groups=webtools-security) or send an email to *security AT mozilla DOT org*.
-
-For more information on security-related bug disclosure and the PGP key to use
-for sending encrypted mail or to verify responses received from that address,
-please read our wiki page at https://www.mozilla.org/en-US/security/#For_Developers
+**NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future
+releases including for security issues.**
+See issue: https://github.com/mozilla/bleach/issues/698

bleach/__init__.py

@@ -11,9 +11,9 @@
 
 
 # yyyymmdd
-__releasedate__ = "20251027"
+__releasedate__ = "20260605"
 # x.y.z or x.y.z.dev0 -- semver
-__version__ = "6.3.0"
+__version__ = "6.4.0"
 
 
 __all__ = ["clean", "linkify"]

bleach/_vendor/03_html5lib_formaction.patch

@@ -0,0 +1,12 @@
+diff --git bleach/_vendor/html5lib/filters/sanitizer.py b/bleach/_vendor/html5lib/filters/sanitizer.py
+index a37c9d8..dd5a6a6 100644
+--- bleach/_vendor/html5lib/filters/sanitizer.py
++++ bleach/_vendor/html5lib/filters/sanitizer.py
+@@ -534,6 +534,7 @@ attr_val_is_uri = frozenset((
+     (None, 'dynsrc'),
+     (None, 'lowsrc'),
+     (None, 'ping'),
++    (None, 'formaction'),
+     (namespaces['xlink'], 'href'),
+     (namespaces['xml'], 'base'),
+ ))

bleach/_vendor/html5lib/filters/sanitizer.py

@@ -534,6 +534,7 @@
     (None, 'dynsrc'),
     (None, 'lowsrc'),
     (None, 'ping'),
+    (None, 'formaction'),
     (namespaces['xlink'], 'href'),
     (namespaces['xml'], 'base'),
 ))

bleach/_vendor/vendor_install.sh

@@ -13,6 +13,7 @@ pip install --no-binary all --no-compile --no-deps -r "${BLEACH_VENDOR_DIR}/vend
 # Apply patches
 (cd "${DEST}" && patch -p2 < 01_html5lib_six.patch)
 (cd "${DEST}" && patch -p2 < 02_html5lib_wbr.patch)
+(cd "${DEST}" && patch -p2 < 03_html5lib_formaction.patch)
 
 # install Python 3.6.14 urllib.urlparse for #536
 curl --proto '=https' --tlsv1.2 -o "${DEST}/parse.py" https://raw.githubusercontent.com/python/cpython/v3.6.14/Lib/urllib/parse.py

bleach/sanitizer.py

@@ -488,14 +488,15 @@ def sanitize_uri_value(self, value, allowed_protocols):
         # Convert all character entities in the value
         normalized_uri = html5lib_shim.convert_entities(value)
 
-        # Nix backtick, space characters, and control characters
+        # Strip backtick, whitespace, and control characters
         normalized_uri = re.sub(r"[`\000-\040\177-\240\s]+", "", normalized_uri)
 
-        # Remove REPLACEMENT characters
-        normalized_uri = normalized_uri.replace("\ufffd", "")
+        # Strip non-ASCII characters so that urlparse can parse the url into
+        # components correctly. This drops invisible and whitespace unicode
+        # characters among other things.
+        normalized_uri = re.sub(r"[^\x00-\x7f]", "", normalized_uri)
 
-        # Lowercase it--this breaks the value, but makes it easier to match
-        # against
+        # Lowercase value to make matching easier
         normalized_uri = normalized_uri.lower()
 
         try:

setup.py

@@ -55,7 +55,7 @@ def get_version():
     install_requires=INSTALL_REQUIRES,
     extras_require=EXTRAS_REQUIRE,
     classifiers=[
-        "Development Status :: 5 - Production/Stable",
+        "Development Status :: 7 - Inactive",
         "Environment :: Web Environment",
         "Intended Audience :: Developers",
         "Operating System :: OS Independent",

tests/test_clean.py

@@ -427,6 +427,21 @@ def test_poster_attribute():
     assert clean(ok, tags=tags, attributes=attrs) == ok
 
 
+def test_formaction_attribute():
+    """formaction attributes should not allow javascript (GHSA-gj48-438w-jh9v)."""
+    tags = {"button", "input"}
+    attrs = {"button": ["formaction"], "input": ["formaction", "type"]}
+
+    test = '<button formaction="javascript:alert(1)">x</button>'
+    assert clean(test, tags=tags, attributes=attrs) == "<button>x</button>"
+
+    test = '<input type="submit" formaction="javascript:alert(1)">'
+    assert clean(test, tags=tags, attributes=attrs) == '<input type="submit">'
+
+    ok = '<button formaction="/foo">x</button>'
+    assert clean(ok, tags=tags, attributes=attrs) == ok
+
+
 def test_attributes_callable():
     """Verify attributes can take a callable"""
 
@@ -618,6 +633,22 @@ def test_attributes_list():
         # Disallowed protocols with sneaky character entities
         ('<a href="javas&#x09;cript:alert(1)">alert</a>', {}, "<a>alert</a>"),
         ('<a href="&#14;javascript:alert(1)">alert</a>', {}, "<a>alert</a>"),
+        # Disallowed protocols with Unicode characters injected
+        (
+            '<a href="javascript\u200b:alert(1)">alert</a>',
+            {"protocols": ALLOWED_PROTOCOLS},
+            "<a>alert</a>",
+        ),
+        (
+            '<a href="\ufeffjavascript:alert(1)">alert</a>',
+            {"protocols": ALLOWED_PROTOCOLS},
+            "<a>alert</a>",
+        ),
+        (
+            '<a href="javascript\u00ad:alert(1)">alert</a>',
+            {"protocols": ALLOWED_PROTOCOLS},
+            "<a>alert</a>",
+        ),
         # Checking the uri should change it at all
         (
             '<a href="http://example.com/?foo&nbsp;bar">foo</a>',