#8297 Consider changing from html5lib sanitizer

unreleased
open
nobody
None
General
nobody
2026-07-06
2019-06-05
No

html5lib hasn't had a lot of activity or releases for a while. bleach is no longer maintained either

We have customized behavior with our ForgeHTMLSanitizerFilter class, so it'll take careful work to make sure the right logic is still applied.

https://nh3.readthedocs.io/ is a popular successor

https://turbohtml.readthedocs.io/ is a very new alternative

Discussion

  • Dave Brondsema

    Dave Brondsema - 2019-06-06

    The https://github.com/yourcelf/bleach-whitelist list doesn't look real good to me (very limited on tags, not limited enough on css rules). The new version of Pypeline I've been working on will use bleach and will come with a ruleset that should work well for Allura.

     
  • Dave Brondsema

    Dave Brondsema - 2026-07-06
    • summary: Consider changing from html5lib sanitizer to bleach sanitizer --> Consider changing from html5lib sanitizer
    • Description has changed:

    Diff:

    --- old
    +++ new
    @@ -1,9 +1,7 @@
    -https://bleach.readthedocs.io/en/latest/goals.html#bleach-vs-html5lib has some reasons.  Also html5lib hasn't had a lot of activity or releases for a while, and bleach is more actively maintained.  Regarding their claim of `sanitize_css` being broken, I found these issues which seem to indicate its not a huge risk, but not correct either:
    -
    -* https://github.com/html5lib/html5lib-python/issues/152
    -* https://github.com/html5lib/html5lib-python/issues/316
    -* https://github.com/html5lib/html5lib-python/issues/317
    +html5lib hasn't had a lot of activity or releases for a while.  bleach is no longer maintained either
    
     We have customized behavior with our `ForgeHTMLSanitizerFilter` class, so it'll take careful work to make sure the right logic is still applied.
    
    -https://github.com/yourcelf/bleach-whitelist has a list of tags/attrs/styles that could be handy (doesn't bleach have its own safe list?)
    +https://nh3.readthedocs.io/ is a popular successor
    +
    +https://turbohtml.readthedocs.io/ is a very new alternative
    
     
  • Dave Brondsema

    Dave Brondsema - 2026-07-06

    Claude-generated POCs on 2 branches:

    • db/remove_html5lib_nh3 using nh3 (mature & maintained) but currently drops <script> and other disallowed tags instead of escaping them. Also has a slow bs4 pass after nh3 for some things nh3 can't handle (iframe allowed only for youtube sources, input only for checkbox)
    • db/remove_html5lib_turbohtml using turbohtml (very new right now, pre 1.0 release, things may change in it). Can't use its clean.sanitize for the same reasons nh3 fell short. If turbohtml had a callback for custom sanitization, it would roughly halve the sanitizer code, and nearly all of the security-critical logic would be removed (relying on turbohtml). Maybe placeholders could work, but fragile? POC included for that

    https://pypi.org/project/Pypeline/ will need changes too (shouldn't be too hard)

     

Log in to post a comment.