Skip to content

Update dependency bleach to v6.4.0 [SECURITY]#14411

Open
renovate-bot wants to merge 1 commit into
GoogleCloudPlatform:mainfrom
renovate-bot:renovate/pypi-bleach-vulnerability
Open

Update dependency bleach to v6.4.0 [SECURITY]#14411
renovate-bot wants to merge 1 commit into
GoogleCloudPlatform:mainfrom
renovate-bot:renovate/pypi-bleach-vulnerability

Conversation

@renovate-bot

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
bleach ==6.1.0==6.4.0 age confidence
bleach ==6.2.0==6.4.0 age confidence

Bleach: URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in output

GHSA-8rfp-98v4-mmr6

More information

Details

Impact

A possible XSS bypass affects users calling bleach.clean with all of:

  • a in the allowed tags
  • href in allowed attributes

The bleach.clean sanitizer outputs URIs containing disallowed scheme patterns that it should be stripping. However, because the inserted Unicode characters make the scheme invalid per RFC 3986, modern browsers do not execute these as javascript: URIs. The practical security impact is limited to:

  • Bleach's output contains URI values that violate the caller's protocol allowlist, breaking the sanitizer's contract.
  • If a downstream system performs its own Unicode normalization on bleach's output (stripping invisible characters before rendering), the javascript: scheme could become valid. This is a non-standard processing chain but represents a theoretical secondary risk.

This is not a direct XSS vulnerability.

Python code example from reporter with Bleach v6.3.0 and Python 3.13:

import bleach
payload1 = '<a href="javascript\u200b:alert(document.cookie)">Click me</a>'
result1 = bleach.clean(payload1)
print(f"(ZWSP): {repr(result1)}")

Output:

(ZWSP): '<a href="javascript\u200b:alert(document.cookie)">Click me</a>'
Patches

Users should upgrade to Bleach 6.4.0.

Workarounds

Pre-process content removing non-ASCII characters from URI schemes before sanitizing with bleach.clean.

A strong Content-Security-Policy without unsafe-inline and unsafe-eval script-srcs will also help mitigate the risk.

References
Reported by

Reported by codeant from CodeAnt AI.

Severity

  • CVSS Score: 0.0 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Bleach clean() / Cleaner() fails to sanitize dangerous URI schemes in allowed formaction attributes

GHSA-gj48-438w-jh9v

More information

Details

Summary

Bleach clean() / Cleaner() fails to sanitize dangerous URI schemes in allowed formaction attributes.

Bleach applies URI protocol sanitization only to attributes listed in attr_val_is_uri. While URI-bearing attributes such as action, href, src, and poster are included in that set, formaction is not. As a result, if a downstream application explicitly allows formaction on submit-capable controls in untrusted HTML, Bleach preserves dangerous values such as javascript:alert(1) instead of stripping them.

This can lead to submit-triggered JavaScript execution in applications that rely on Bleach to sanitize untrusted HTML and allow the relevant tag/attribute combination.


Details

The issue appears to be a URI-sanitization coverage gap in Bleach’s sanitizer logic.

Relevant code paths:

  • bleach/sanitizer.pyBleachSanitizerFilter.allow_token (around line 553)
  • bleach/_vendor/html5lib/filters/sanitizer.pyattr_val_is_uri (around line 525)

In BleachSanitizerFilter.allow_token, URI protocol sanitization is only applied when:

if namespaced_name in self.attr_val_is_uri:

However, (None, 'formaction') is currently missing from attr_val_is_uri.

This creates an inconsistency where action is protocol-sanitized, but formaction is not.

As a result, if a downstream application allows:

  • tags such as <button> or <input>
  • the formaction attribute

then Bleach preserves dangerous URI schemes such as javascript: in formaction.

Examples of affected submit-capable controls include:

  • <button> (default submit behavior unless type="button" is set)
  • <input type="submit">
  • <input type="image">

This appears to be a real library-side sanitizer gap rather than only an application misuse issue, because Bleach already treats similar URI-bearing attributes (such as action) as protocol-sensitive and sanitizes them.

Suggested minimal fix:

Add:

(None, 'formaction')

to attr_val_is_uri in:

  • bleach/_vendor/html5lib/filters/sanitizer.py

I also prepared a minimal patch and focused regression tests if helpful.


PoC

Below are minimal reproductions using bleach.clean().

1) <button>
from bleach import clean

print(clean(
    '<form><button formaction="javascript:alert(1)">go</button></form>',
    tags={'form', 'button'},
    attributes={'button': ['formaction']},
))

Actual output:

<form><button formaction="javascript:alert(1)">go</button></form>

Expected output:

<form><button>go</button></form>

2) <input type="submit">
print(clean(
    '<form><input type="submit" formaction="javascript:alert(1)" value="go"></form>',
    tags={'form', 'input'},
    attributes={'input': ['type', 'formaction', 'value']},
))

Actual output:

<form><input type="submit" formaction="javascript:alert(1)" value="go"></form>

Expected output:

<form><input type="submit" value="go"></form>

3) <input type="image">
print(clean(
    '<form><input type="image" formaction="javascript:alert(1)" src="/foo.png"></form>',
    tags={'form', 'input'},
    attributes={'input': ['type', 'formaction', 'src']},
))

Actual output:

<form><input type="image" formaction="javascript:alert(1)" src="/foo.png"></form>

Expected output:

<form><input type="image" src="/foo.png"></form>

Impact

This is a client-side HTML sanitization bypass / dangerous URI preservation issue.

If an application relies on Bleach to sanitize untrusted HTML and explicitly allows:

  • formaction
  • and submit-capable controls such as <button> or <input>

then Bleach can emit sanitized output that still contains a dangerous javascript: URI in formaction.

That can lead to submit-triggered JavaScript execution when the user activates the control.

Impact is limited to configurations that explicitly allow the relevant tag/attribute combination, but the issue is still security-relevant because:

  • formaction is a real browser sink
  • Bleach already protocol-sanitizes similar URI-bearing attributes like action
  • the omission creates inconsistent sanitizer coverage for dangerous URI schemes

I would currently assess this as Medium severity.

If useful, I also have:

  • a minimal patch

  • focused regression tests for:

    • <button formaction="javascript:...">
    • <input type="submit" formaction="javascript:...">
    • <input type="image" formaction="javascript:...">
    • a safe control case where formaction="/submit" is preserved

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

mozilla/bleach (bleach)

v6.4.0

Compare Source

NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future
releases including for security issues.

See issue: <https://github.com/mozilla/bleach/issues/698>__

Backwards incompatible changes

  • Dropped support for pypy 3.10. (#​764)

Security fixes

  • Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.

    Fix XSS issue with sanitize_uri_value where disallowed schemes with
    Unicode invisible characters wouldn't be rejected.

    For example::

    import bleach
    payload1 = 'Click'
    result1 = bleach.clean(payload1)
    print(repr(result1))

    outputs::

    'Click'

    See the advisory for details.

  • Fix GHSA-gj48-438w-jh9v.

    Fix issue where URI sanitization wasn't happening in formaction attributes.

    See the advisory for details.

Bug fixes

  • Add support for pypy 3.11. (#​764)

  • Drop version max in tinycss2 pin. (#​772)

    This removes one of the things we had to keep checking and updating. Users
    now own the responsibility for correctness with the version of tinycss2
    they're using.

v6.3.0

Compare Source

Backwards incompatible changes

  • Dropped support for Python 3.9. (#​756)

Security fixes

None

Bug fixes

v6.2.0

Compare Source

Backwards incompatible changes

  • Dropped support for Python 3.8. (#​737)

Security fixes

None

Bug fixes

  • Add support for Python 3.13. (#​736)
  • Remove six depdenncy. (#​618)
  • Update known-good versions for tinycss2. (#​732)
  • Fix additional < followed by characters and EOF issues. (#​728)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot requested review from a team as code owners July 13, 2026 22:15
@trusted-contributions-gcf trusted-contributions-gcf Bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels Jul 13, 2026
@product-auto-label product-auto-label Bot added samples Issues that are directly related to samples. api: run Issues related to the Cloud Run API. labels Jul 13, 2026
@kokoro-team kokoro-team removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Jul 13, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the 'bleach' dependency to version 6.4.0 in the requirements.txt file. The feedback suggests simplifying the dependency declaration by removing the environment markers for older Python versions, as Python versions below 3.10 are no longer supported.

Comment on lines +4 to +5
bleach==6.4.0; python_version >= "3.9"
bleach==6.4.0; python_version <= "3.8"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Python versions below 3.10 are no longer supported. Please do not specify fallback dependency versions or environment markers for Python versions older than 3.10. You can simplify this to a single requirement.

bleach==6.4.0
References
  1. Do not specify fallback dependency versions or environment markers for Python versions older than 3.10, as Python versions below 3.10 are no longer supported.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

api: run Issues related to the Cloud Run API. owlbot:run Add this label to trigger the Owlbot post processor. samples Issues that are directly related to samples.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants