Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package python-lxml_html_clean for 
openSUSE:Factory checked in at 2026-07-06 12:31:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-lxml_html_clean (Old)
 and      /work/SRC/openSUSE:Factory/.python-lxml_html_clean.new.1982 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "python-lxml_html_clean"

Mon Jul  6 12:31:36 2026 rev:6 rq:1363833 version:0.4.5

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/python-lxml_html_clean/python-lxml_html_clean.changes
    2026-03-10 18:58:40.485846414 +0100
+++ 
/work/SRC/openSUSE:Factory/.python-lxml_html_clean.new.1982/python-lxml_html_clean.changes
  2026-07-06 12:34:10.543235010 +0200
@@ -1,0 +2,11 @@
+Sun Jul  5 09:49:18 UTC 2026 - Dirk Müller <[email protected]>
+
+- update to 0.4.5 (bsc#1270285, CVE-2026-49825):
+  * Fixed a security vulnerability where javascript: URLs in
+    xlink:href attributes were not sanitized
+    when``safe_attrs_only=False``, allowing cross-site scripting
+    (XSS) attacks. The fix requires lxml>=6.1.1, which adds
+    xlink:href to the set of link attributes iterated by
+    rewrite_links(). Reported by Guillem Lefait (@glefait).
+
+-------------------------------------------------------------------

Old:
----
  lxml_html_clean-0.4.4.tar.gz

New:
----
  lxml_html_clean-0.4.5.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ python-lxml_html_clean.spec ++++++
--- /var/tmp/diff_new_pack.TfqiCT/_old  2026-07-06 12:34:11.335262528 +0200
+++ /var/tmp/diff_new_pack.TfqiCT/_new  2026-07-06 12:34:11.343262806 +0200
@@ -18,7 +18,7 @@
 
 %{?sle15_python_module_pythons}
 Name:           python-lxml_html_clean
-Version:        0.4.4
+Version:        0.4.5
 Release:        0
 Summary:        HTML cleaner from lxml project
 License:        BSD-3-Clause

++++++ lxml_html_clean-0.4.4.tar.gz -> lxml_html_clean-0.4.5.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/lxml_html_clean-0.4.4/CHANGES.rst 
new/lxml_html_clean-0.4.5/CHANGES.rst
--- old/lxml_html_clean-0.4.4/CHANGES.rst       2026-02-27 10:32:54.000000000 
+0100
+++ new/lxml_html_clean-0.4.5/CHANGES.rst       2026-05-20 12:17:11.000000000 
+0200
@@ -3,8 +3,17 @@
 =========================
 
 
-Unreleased
-==========
+0.4.5 (2026-05-20)
+==================
+
+Bugs fixed
+----------
+
+* Fixed a security vulnerability where ``javascript:`` URLs in ``xlink:href``
+  attributes were not sanitized when``safe_attrs_only=False``, allowing
+  cross-site scripting (XSS) attacks. The fix requires ``lxml>=6.1.1``,
+  which adds ``xlink:href`` to the set of link attributes iterated by
+  ``rewrite_links()``. Reported by Guillem Lefait (@glefait).
 
 0.4.4 (2026-02-26)
 ==================
@@ -14,12 +23,12 @@
 
 * Fixed a bug where Unicode escapes in CSS were not properly decoded
   before security checks. This prevents attackers from bypassing filters
-  using escape sequences.
+  using escape sequences. (CVE-2026-28348)
 * Fixed a security issue where ``<base>`` tags could be used for URL
   hijacking attacks. The ``<base>`` tag is now automatically removed
   whenever the ``<head>`` tag is removed (via ``page_structure=True``
   or manual configuration), as ``<base>`` must be inside ``<head>``
-  according to HTML specifications.
+  according to HTML specifications. (CVE-2026-28350)
 
 0.4.3 (2025-10-02)
 ==================
@@ -58,7 +67,7 @@
   within CSS comments. In certain contexts, such as within ``<svg>`` or 
``<math>`` tags,
   ``<style>`` tags may lose their intended function, allowing comments
   like ``/* foo */`` to potentially be executed by the browser.
-  If a suspicious content is detected, only the comment is removed.
+  If a suspicious content is detected, only the comment is removed. 
(CVE-2024-52595)
 
 0.3.1 (2024-10-09)
 ==================
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/lxml_html_clean-0.4.4/PKG-INFO 
new/lxml_html_clean-0.4.5/PKG-INFO
--- old/lxml_html_clean-0.4.4/PKG-INFO  2026-02-27 10:33:33.721878000 +0100
+++ new/lxml_html_clean-0.4.5/PKG-INFO  2026-05-20 12:17:34.396014500 +0200
@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: lxml_html_clean
-Version: 0.4.4
+Version: 0.4.5
 Summary: HTML cleaner from lxml project
 Home-page: https://github.com/fedora-python/lxml_html_clean/
 Author: Lumír Balhar
@@ -17,7 +17,7 @@
 Classifier: Programming Language :: Python :: 3.14
 Description-Content-Type: text/markdown
 License-File: LICENSE.txt
-Requires-Dist: lxml
+Requires-Dist: lxml>=6.1.1
 Dynamic: license-file
 
 # lxml_html_clean
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/lxml_html_clean-0.4.4/lxml_html_clean.egg-info/PKG-INFO 
new/lxml_html_clean-0.4.5/lxml_html_clean.egg-info/PKG-INFO
--- old/lxml_html_clean-0.4.4/lxml_html_clean.egg-info/PKG-INFO 2026-02-27 
10:33:33.000000000 +0100
+++ new/lxml_html_clean-0.4.5/lxml_html_clean.egg-info/PKG-INFO 2026-05-20 
12:17:34.000000000 +0200
@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: lxml_html_clean
-Version: 0.4.4
+Version: 0.4.5
 Summary: HTML cleaner from lxml project
 Home-page: https://github.com/fedora-python/lxml_html_clean/
 Author: Lumír Balhar
@@ -17,7 +17,7 @@
 Classifier: Programming Language :: Python :: 3.14
 Description-Content-Type: text/markdown
 License-File: LICENSE.txt
-Requires-Dist: lxml
+Requires-Dist: lxml>=6.1.1
 Dynamic: license-file
 
 # lxml_html_clean
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/lxml_html_clean-0.4.4/lxml_html_clean.egg-info/requires.txt 
new/lxml_html_clean-0.4.5/lxml_html_clean.egg-info/requires.txt
--- old/lxml_html_clean-0.4.4/lxml_html_clean.egg-info/requires.txt     
2026-02-27 10:33:33.000000000 +0100
+++ new/lxml_html_clean-0.4.5/lxml_html_clean.egg-info/requires.txt     
2026-05-20 12:17:34.000000000 +0200
@@ -1 +1 @@
-lxml
+lxml>=6.1.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/lxml_html_clean-0.4.4/setup.cfg 
new/lxml_html_clean-0.4.5/setup.cfg
--- old/lxml_html_clean-0.4.4/setup.cfg 2026-02-27 10:33:33.722296500 +0100
+++ new/lxml_html_clean-0.4.5/setup.cfg 2026-05-20 12:17:34.396445800 +0200
@@ -1,6 +1,6 @@
 [metadata]
 name = lxml_html_clean
-version = 0.4.4
+version = 0.4.5
 description = HTML cleaner from lxml project
 long_description = file:README.md
 long_description_content_type = text/markdown
@@ -25,7 +25,7 @@
 packages = 
        lxml_html_clean
 install_requires = 
-       lxml
+       lxml>=6.1.1
 
 [egg_info]
 tag_build = 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/lxml_html_clean-0.4.4/tests/test_clean_embed.txt 
new/lxml_html_clean-0.4.5/tests/test_clean_embed.txt
--- old/lxml_html_clean-0.4.4/tests/test_clean_embed.txt        2025-10-02 
22:37:00.000000000 +0200
+++ new/lxml_html_clean-0.4.5/tests/test_clean_embed.txt        2026-05-12 
08:38:06.000000000 +0200
@@ -13,15 +13,15 @@
 ...     return s
 
 >>> doc_embed = '''<div>
-... <embed src="http://www.youtube.com/v/183tVH1CZpA"; 
type="application/x-shockwave-flash"></embed>
-... <embed src="http://anothersite.com/v/another";></embed>
+... <embed src="http://www.youtube.com/v/183tVH1CZpA"; 
type="application/x-shockwave-flash">
+... <embed src="http://anothersite.com/v/another";>
 ... <script src="http://www.youtube.com/example.js";></script>
 ... <script src="/something-else.js"></script>
 ... </div>'''
 >>> print(tostring(fromstring(doc_embed)))
 <div>
-<embed src="http://www.youtube.com/v/183tVH1CZpA"; 
type="application/x-shockwave-flash"></embed>
-<embed src="http://anothersite.com/v/another";></embed>
+<embed src="http://www.youtube.com/v/183tVH1CZpA"; 
type="application/x-shockwave-flash">
+<embed src="http://anothersite.com/v/another";>
 <script src="http://www.youtube.com/example.js";></script>
 <script src="/something-else.js"></script>
 </div>
@@ -30,10 +30,10 @@
 </div>
 >>> print(Cleaner(host_whitelist=['www.youtube.com']).clean_html(doc_embed))
 <div>
-<embed src="http://www.youtube.com/v/183tVH1CZpA"; 
type="application/x-shockwave-flash"></embed>
+<embed src="http://www.youtube.com/v/183tVH1CZpA"; 
type="application/x-shockwave-flash">
 </div>
 >>> print(Cleaner(host_whitelist=['www.youtube.com'], 
 >>> whitelist_tags=None).clean_html(doc_embed))
 <div>
-<embed src="http://www.youtube.com/v/183tVH1CZpA"; 
type="application/x-shockwave-flash"></embed>
+<embed src="http://www.youtube.com/v/183tVH1CZpA"; 
type="application/x-shockwave-flash">
 <script src="http://www.youtube.com/example.js";></script>
 </div>

Reply via email to