[allura:tickets] #8297 Consider changing from html5lib sanitizer to bleach sanitizer

[Dave Brondsema <da...@brondsema.net>]

---

** [tickets:#8297] Consider changing from html5lib sanitizer to bleach sanitizer**

**Status:** open
**Milestone:** unreleased
**Created:** Wed Jun 05, 2019 02:34 PM UTC by Dave Brondsema
**Last Updated:** Wed Jun 05, 2019 02:34 PM UTC
**Owner:** nobody


https://bleach.readthedocs.io/en/latest/goals.html#bleach-vs-html5lib has some reasons.  Also html5lib hasn't had a lot of activity or releases for a while, and bleach is more actively maintained.  Regarding their claim of `sanitize_css` being broken, I found these issues which seem to indicate its not a huge risk, but not correct either:

* https://github.com/html5lib/html5lib-python/issues/152
* https://github.com/html5lib/html5lib-python/issues/316
* https://github.com/html5lib/html5lib-python/issues/317

We have customized behavior with our `ForgeHTMLSanitizerFilter` class, so it'll take careful work to make sure the right logic is still applied.

https://github.com/yourcelf/bleach-whitelist has a list of tags/attrs/styles that could be handy (doesn't bleach have its own safe list?)


---

Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

[allura:tickets] #8297 Consider changing from html5lib sanitizer to bleach sanitizer

[Dave Brondsema <da...@brondsema.net>]

The https://github.com/yourcelf/bleach-whitelist list doesn't look real good to me (very limited on tags, not limited enough on css rules).  The new version of Pypeline I've been working on will use `bleach` and will come with a ruleset that should work well for Allura.


---

** [tickets:#8297] Consider changing from html5lib sanitizer to bleach sanitizer**

**Status:** open
**Milestone:** unreleased
**Created:** Wed Jun 05, 2019 02:34 PM UTC by Dave Brondsema
**Last Updated:** Wed Jun 05, 2019 02:34 PM UTC
**Owner:** nobody


https://bleach.readthedocs.io/en/latest/goals.html#bleach-vs-html5lib has some reasons.  Also html5lib hasn't had a lot of activity or releases for a while, and bleach is more actively maintained.  Regarding their claim of `sanitize_css` being broken, I found these issues which seem to indicate its not a huge risk, but not correct either:

* https://github.com/html5lib/html5lib-python/issues/152
* https://github.com/html5lib/html5lib-python/issues/316
* https://github.com/html5lib/html5lib-python/issues/317

We have customized behavior with our `ForgeHTMLSanitizerFilter` class, so it'll take careful work to make sure the right logic is still applied.

https://github.com/yourcelf/bleach-whitelist has a list of tags/attrs/styles that could be handy (doesn't bleach have its own safe list?)


---

Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.