Bleach

----------------------------------

**Security fixes**

None

**Backwards incompatible changes**

None

**Features**

None

**Bug fixes**

* Merge ``Characters`` tokens after sanitizing them. This fixes issues in the
``LinkifyFilter`` where it was only linkifying parts of urls. (374)

---------------------------------

**Security fixes**

None

**Backwards incompatible changes**

None

**Features**

* Support Python 3.7. It supported Python 3.7 just fine, but we added 3.7 to
the list of Python environments we test so this is now officially supported.
(377)

**Bug fixes**

* Fix ``list`` object has no attribute ``lower`` in ``clean``. (398)
* Fix ``abbr`` getting escaped in ``linkify``. (400)

---------------------------------

**Security fixes**

None

**Backwards incompatible changes**

* A bunch of functions were moved from one module to another.

These were moved from ``bleach.sanitizer`` to ``bleach.html5lib_shim``:

* ``convert_entity``
* ``convert_entities``
* ``match_entity``
* ``next_possible_entity``
* ``BleachHTMLSerializer``
* ``BleachHTMLTokenizer``
* ``BleachHTMLParser``

These functions and classes weren't documented and aren't part of the
public API, but people read code and might be using them so we're
considering it an incompatible API change.

If you're using them, you'll need to update your code.

**Features**

* Bleach no longer depends on html5lib. html5lib==1.0.1 is now vendored into
Bleach. You can remove it from your requirements file if none of your other
requirements require html5lib.

This means Bleach will now work fine with other libraries that depend on
html5lib regardless of what version of html5lib they require. (386)

**Bug fixes**

* Fixed tags getting added when using clean or linkify. This was a
long-standing regression from the Bleach 2.0 rewrite. (280, 392)

* Fixed ``<isindex>`` getting replaced with a string. Now it gets escaped or
stripped depending on whether it's in the allowed tags or not. (279)

---------------------------------

**Security fixes**

None

**Backwards incompatible changes**

* Dropped support for Python 3.3. (328)

**Features**

None

**Bug fixes**

* Handle ambiguous ampersands in correctly. (359)

-------------------------------

**Security fixes**

* Attributes that have URI values weren't properly sanitized if the
values contained character entities. Using character entities, it
was possible to construct a URI value with a scheme that was not
allowed that would slide through unsanitized.

This security issue was introduced in Bleach 2.1. Anyone using
Bleach 2.1 is highly encouraged to upgrade.

https://bugzilla.mozilla.org/show_bug.cgi?id=1442745

**Backwards incompatible changes**

None

**Features**

None

**Bug fixes**

* Fixed some other edge cases for attribute URI value sanitizing and
improved testing of this code.

----------------------------------

**Security fixes**

None

**Backwards incompatible changes**

None

**Features**

None

**Bug fixes**

* Support html5lib-python 1.0.1. (337)

* Add deprecation warning for supporting html5lib-python < 1.0.

* Switch to semver.