html5lib hasn't had a lot of activity or releases for a while. bleach is no longer maintained either
We have customized behavior with our ForgeHTMLSanitizerFilter class, so it'll take careful work to make sure the right logic is still applied.
https://nh3.readthedocs.io/ is a popular successor
https://turbohtml.readthedocs.io/ is a very new alternative
The https://github.com/yourcelf/bleach-whitelist list doesn't look real good to me (very limited on tags, not limited enough on css rules). The new version of Pypeline I've been working on will use
bleachand will come with a ruleset that should work well for Allura.Diff:
Claude-generated POCs on 2 branches:
db/remove_html5lib_nh3using nh3 (mature & maintained) but currently drops<script>and other disallowed tags instead of escaping them. Also has a slow bs4 pass after nh3 for some things nh3 can't handle (iframe allowed only for youtube sources, input only for checkbox)db/remove_html5lib_turbohtmlusing turbohtml (very new right now, pre 1.0 release, things may change in it). Can't use its clean.sanitize for the same reasons nh3 fell short. If turbohtml had a callback for custom sanitization, it would roughly halve the sanitizer code, and nearly all of the security-critical logic would be removed (relying on turbohtml). Maybe placeholders could work, but fragile? POC included for thathttps://pypi.org/project/Pypeline/ will need changes too (shouldn't be too hard)