Bleach

--------------------------------

**Security fixes**

None

**Features**

None

**Bug fixes**

* replace missing ``setuptools`` dependency with ``packaging``. Thank you Benjamin Peterson.

--------------------------------

**Security fixes**

* ``bleach.clean`` behavior parsing style attributes could result in a
regular expression denial of service (ReDoS).

Calls to ``bleach.clean`` with an allowed tag with an allowed
``style`` attribute were vulnerable to ReDoS. For example,
``bleach.clean(..., attributes={'a': ['style']})``.

This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1,
v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar
regular expression and should be considered vulnerable too.

Anyone using Bleach <=v3.1.3 is encouraged to upgrade.

https://bugzilla.mozilla.org/show_bug.cgi?id=1623633

**Backwards incompatible changes**

* Style attributes with dashes, or single or double quoted values are
cleaned instead of passed through.

**Features**

None

**Bug fixes**

None

--------------------------------

**Security fixes**

None

**Backwards incompatible changes**

* Drop support for Python 3.4. Thank you, hugovk!

* Drop deprecated ``setup.py test`` support. Thank you, jdufresne! (507)

**Features**

* Add support for Python 3.8. Thank you, jdufresne!

* Add support for PyPy 7. Thank you, hugovk!

* Add pypy3 testing to tox and travis. Thank you, jdufresne!

**Bug fixes**

* Add relative link to code of conduct. (442)

* Fix typo: curren -> current in tests/test_clean.py Thank you, timgates42! (504)

* Fix handling of non-ascii style attributes. Thank you, sekineh! (426)

* Simplify tox configuration. Thank you, jdufresne!

* Make documentation reproducible. Thank you, lamby!

* Fix typos in code comments. Thank you, zborboa-g!

* Fix exception value testing. Thank you, mastizada!

* Fix parser-tags NoneType exception. Thank you, bope!

* Improve TLD support in linkify. Thank you, pc-coholic!

--------------------------------

**Security fixes**

* ``bleach.clean`` behavior parsing embedded MathML and SVG content
with RCDATA tags did not match browser behavior and could result in
a mutation XSS.

Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or
``svg`` tags and one or more of the RCDATA tags ``script``,
``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or
``xmp`` in the allowed tags whitelist were vulnerable to a mutation
XSS.

This security issue was confirmed in Bleach version v3.1.1. Earlier
versions are likely affected too.

Anyone using Bleach <=v3.1.1 is encouraged to upgrade.

https://bugzilla.mozilla.org/show_bug.cgi?id=1621692

**Backwards incompatible changes**

None

**Features**

None

**Bug fixes**

None

-----------------------------------

**Security fixes**

* ``bleach.clean`` behavior parsing ``noscript`` tags did not match
browser behavior.

Calls to ``bleach.clean`` allowing ``noscript`` and one or more of
the raw text tags (``title``, ``textarea``, ``script``, ``style``,
``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable
to a mutation XSS.

This security issue was confirmed in Bleach versions v2.1.4, v3.0.2,
and v3.1.0. Earlier versions are probably affected too.

Anyone using Bleach <=v3.1.0 is highly encouraged to upgrade.

https://bugzilla.mozilla.org/show_bug.cgi?id=1615315

**Backwards incompatible changes**

None

**Features**

None

**Bug fixes**

None

---------------------------------

**Security fixes**

None

**Backwards incompatible changes**

None

**Features**

* Add ``recognized_tags`` argument to the linkify ``Linker`` class. This
fixes issues when linkifying on its own and having some tags get escaped.
It defaults to a list of HTML5 tags. Thank you, Chad Birch! (409)

**Bug fixes**

* Add ``six>=1.9`` to requirements. Thank you, Dave Shawley (416)

* Fix cases where attribute names could have invalid characters in them.
(419)

* Fix problems with ``LinkifyFilter`` not being able to match links
across ``&amp;``. (422)

* Fix ``InputStreamWithMemory`` when the ``BleachHTMLParser`` is
parsing ``meta`` tags. (431)

* Fix doctests. (357)