Update dependency bleach to v3.3.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
bleach	==3.1.4 -> ==3.3.0

GitHub Vulnerability Alerts

CVE-2021-23980

Impact

A mutation XSS affects users calling bleach.clean with all of:

• svg or math in the allowed tags
• p or br in allowed tags
• style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags
• the keyword argument strip_comments=False

Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.

Patches

Users are encouraged to upgrade to bleach v3.3.0 or greater.

Note: bleach v3.3.0 introduces a breaking change to escape HTML comments by default.

Workarounds

• modify bleach.clean calls to at least one of:

  • not allow the style, title, noscript, script, textarea, noframes, iframe, or xmp tag
  • not allow svg or math tags
  • not allow p or br tags
  • set strip_comments=True

• A strong Content-Security-Policy without unsafe-inline and unsafe-eval script-srcs) will also help mitigate the risk.

References

• https://bugzilla.mozilla.org/show_bug.cgi?id=1689399
• https://advisory.checkmarx.net/advisory/CX-2021-4303
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23980
• https://cure53.de/fp170.pdf

Credits

• Reported by Yaniv Nizry from the CxSCA AppSec group at Checkmarx
• Additional eject tags not mentioned in the original advisory and the CSP mitigation line being truncated in the revised advisory reported by Michał Bentkowski at Securitum

For more information

If you have any questions or comments about this advisory:

• Open an issue at https://github.com/mozilla/bleach/issues
• Email us at security@mozilla.org

---

Release Notes

mozilla/bleach

v3.3.0

Compare Source

Backwards incompatible changes

• clean escapes HTML comments even when strip_comments=False

Security fixes

• Fix bug 1621692 / GHSA-m6xf-fq7q-8743. See the advisory for details.

Features

None

Bug fixes

None

v3.2.3

Compare Source

Security fixes

None

Features

None

Bug fixes

• fix clean and linkify raising ValueErrors for certain inputs. Thank you @​Google-Autofuzz.

v3.2.2

Compare Source

Security fixes

None

Features

• Migrate CI to Github Actions. Thank you @​hugovk.

Bug fixes

• fix linkify raising an IndexError on certain inputs. Thank you @​Google-Autofuzz.

v3.2.1

Compare Source

Security fixes

None

Features

None

Bug fixes

• change linkifier to add rel="nofollow" as documented. Thank you @​mitar.
• suppress html5lib sanitizer DeprecationWarnings (#​557)

v3.2.0

Compare Source

Security fixes

None

Features

None

Bug fixes

• html5lib dependency to version 1.1.0. Thank you Sam Sneddon.
• update tests_website terminology. Thank you Thomas Grainger.

v3.1.5

Compare Source

Security fixes

None

Features

None

Bug fixes

• replace missing setuptools dependency with packaging. Thank you Benjamin Peterson.

---

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

[github-actions]

This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.

[github-actions]

This PR was closed because it has been stalled for 10 days with no activity.

[renovate]

Renovate Ignore Notification

As this PR has been closed unmerged, Renovate will now ignore this update (==3.3.0). You will still receive a PR once a newer version is released, so if you wish to permanently ignore this dependency, please add it to the ignoreDeps array of your renovate config.

If this PR was closed by mistake or you changed your mind, you can simply rename this PR and you will soon get a fresh replacement PR opened.