Bleach

---------------------------------

**Backwards incompatible changes**

* Dropped support for Python 3.7. (709)

**Security fixes**

None

**Bug fixes**

* Add support for Python 3.12. (710)
* Fix linkify with arrays in querystring (436)
* Handle more cases with < followed by character data (705)
* Fix entities inside a tags in linkification (704)
* Update cap for tinycss2 to <1.3 (702)
* Updated Sphinx requirement
* Add dependabot for github actions and update github actions

----------------------------------

**Backwards incompatible changes**

* ``bleach.clean``, ``bleach.sanitizer.Cleaner``,
``bleach.html5lib_shim.BleachHTMLParser``: the ``tags`` and ``protocols``
arguments were changed from lists to sets.

Old pre-6.0.0:

.. code-block:: python

bleach.clean(
"some text",
tags=["a", "p", "img"],
^ ^ list
protocols=["http", "https"],
^ ^ list
)


New 6.0.0 and later:

.. code-block:: python

bleach.clean(
"some text",
tags={"a", "p", "img"},
^ ^ set
protocols={"http", "https"},
^ ^ set
)

* ``bleach.linkify``, ``bleach.linkifier.Linker``: the ``skip_tags`` and
``recognized_tags`` arguments were changed from lists to sets.

Old pre-6.0.0:

.. code-block:: python

bleach.linkify(
"some text",
skip_tags=["pre"],
^ ^ list
)

linker = Linker(
skip_tags=["pre"],
^ ^ list
recognized_tags=html5lib_shim.HTML_TAGS + ["custom-element"],
^ ^ ^ list
|
| list concatenation
)

New 6.0.0 and later:

.. code-block:: python

bleach.linkify(
"some text",
skip_tags={"pre"},
^ ^ set
)

linker = Linker(
skip_tags={"pre"},
^ ^ set
recognized_tags=html5lib_shim.HTML_TAGS | {"custom-element"},
^ ^ ^ set
|
| union operator
)

* ``bleach.sanitizer.BleachSanitizerFilter``: ``strip_allowed_elements`` is now
``strip_allowed_tags``. We now use "tags" everywhere rather than a mishmash
of "tags" in some places and "elements" in others.


**Security fixes**

None


**Bug fixes**

* Add support for Python 3.11. (675)

* Fix API weirness in ``BleachSanitizerFilter``. (649)

We're using "tags" instead of "elements" everywhere--no more weird
overloading of "elements" anymore.

Also, it no longer calls the superclass constructor.

* Add warning when ``css_sanitizer`` isn't set, but the ``style``
attribute is allowed. (676)

* Fix linkify handling of character entities. (501)

* Rework dev dependencies to use ``requirements-dev.txt`` and
``requirements-flake8.txt`` instead of extras.

* Fix project infrastructure to be tox-based so it's easier to have CI
run the same things we're running in development and with flake8
in an isolated environment.

* Update action versions in CI.

* Switch to f-strings where possible. Make tests parametrized to be
easier to read/maintain.

-------------------------------

**Security fixes**

None


**Bug fixes**

* Add missing comma to tinycss2 require. Thank you, shadchin!

* Add url parse tests based on wpt url tests. (688)

* Support scheme-less urls if "https" is in allow list. (662)

* Handle escaping ``<`` in edge cases where it doesn't start a tag. (544)

* Fix reference warnings in docs. (660)

* Correctly urlencode email address parts. Thank you, larseggert! (659)

-------------------------------

**Backwards incompatible changes**

* ``clean`` and ``linkify`` now preserve the order of HTML attributes. Thank
you, askoretskly! (566)

* Drop support for Python 3.6. Thank you, hugovk! (629)

* CSS sanitization in style tags is completely different now. If you're using
Bleach ``clean`` to sanitize css in style tags, you'll need to update your
code and you'll need to install the ``css`` extras::

pip install 'bleach[css]'

See `the documentation on sanitizing CSS for how to do it
<https://bleach.readthedocs.io/en/latest/clean.html#sanitizing-css>`_. (633)

**Security fixes**

None

**Bug fixes**

* Rework dev dependencies. We no longer have
``requirements-dev.in``/``requirements-dev.txt``. Instead, we're using
``dev`` extras.

See `development docs <https://bleach.readthedocs.io/en/latest/dev.html>`_
for more details. (620)

* Add newline when dropping block-level tags. Thank you, jvanasco! (369)

---------------------------------

**Features**

* Python 3.9 support

**Security fixes**

None

**Bug fixes**

* Update sanitizer clean to use vendored 3.6.14 stdlib urllib.parse to
fix test failures on Python 3.9. (536)

--------------------------------

**Backwards incompatible changes**

* Drop support for unsupported Python versions <3.6. (520)

**Security fixes**

None

**Features**

* fix attribute name in the linkify docs (thanks CheesyFeet!)