Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

replace bleach by lxml #93

Closed

Conversation

AndreasDickow
Copy link

No description provided.

@AndreasDickow
Copy link
Author

The Django Bleach project is deprecated so we replaced it by lxml

@parisk
Copy link
Contributor

parisk commented May 8, 2024

Hi @AndreasDickow, thanks a lot for your contribution, but we cannot accept it currently. There are a few reasons behind this.

First, we want to take our time and make an informed decision moving forward, as mentioned in #36 (comment). There is no time pressure at the moment.

Second, lxml has dropped mainstream support for clean_html (lxml/lxml#384), as it's not suitable for security-sensitive software like Django Prose.

Last, it looks like html5lib is back on development (html5lib/html5lib-python#560), which was the main reason behind the deprecation of Bleach (mozilla/bleach#698). This removes even more pressure from our shoulders to make an urgent decision.

Given the comments above, I believe the most probable scenario is to move on with nh3 in the next major release of Django Prose, unless Bleach gets back in development, so we do not need to do an update at all.

Thanks a lot for putting the time to contribute this PR! The discussion for the potential next security library for Django Prose is #38. We would love to get your input and suggestions there.

@parisk parisk closed this May 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants