---
** [tickets:#8297] Consider changing from html5lib sanitizer to bleach
sanitizer**
**Status:** open
**Milestone:** unreleased
**Created:** Wed Jun 05, 2019 02:34 PM UTC by Dave Brondsema
**Last Updated:** Wed Jun 05, 2019 02:34 PM UTC
**Owner:** nobody
https://bleach.readthedocs.io/en/latest/goals.html#bleach-vs-html5lib has some
reasons. Also html5lib hasn't had a lot of activity or releases for a while,
and bleach is more actively maintained. Regarding their claim of
`sanitize_css` being broken, I found these issues which seem to indicate its
not a huge risk, but not correct either:
* https://github.com/html5lib/html5lib-python/issues/152
* https://github.com/html5lib/html5lib-python/issues/316
* https://github.com/html5lib/html5lib-python/issues/317
We have customized behavior with our `ForgeHTMLSanitizerFilter` class, so it'll
take careful work to make sure the right logic is still applied.
https://github.com/yourcelf/bleach-whitelist has a list of tags/attrs/styles
that could be handy (doesn't bleach have its own safe list?)
---
Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed
to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at
https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is
a mailing list, you can unsubscribe from the mailing list.