Merge commit '53372c3bbd545dfcc44f752bc54645ca71cc479a' into debian/buster (3.1.1)
Scott Kitterman
4 years ago
|
0 |
Bleach changes
|
|
1 |
==============
|
|
2 |
|
|
3 |
Version 3.1.1 (February 13th, 2020)
|
|
4 |
-----------------------------------
|
|
5 |
|
|
6 |
**Security fixes**
|
|
7 |
|
|
8 |
* ``bleach.clean`` behavior parsing ``noscript`` tags did not match
|
|
9 |
browser behavior.
|
|
10 |
|
|
11 |
Calls to ``bleach.clean`` allowing ``noscript`` and one or more of
|
|
12 |
the raw text tags (``title``, ``textarea``, ``script``, ``style``,
|
|
13 |
``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable
|
|
14 |
to a mutation XSS.
|
|
15 |
|
|
16 |
This security issue was confirmed in Bleach versions v2.1.4, v3.0.2,
|
|
17 |
and v3.1.0. Earlier versions are probably affected too.
|
|
18 |
|
|
19 |
Anyone using Bleach <=v3.1.0 is highly encouraged to upgrade.
|
|
20 |
|
|
21 |
https://bugzilla.mozilla.org/show_bug.cgi?id=1615315
|
|
22 |
|
|
23 |
**Backwards incompatible changes**
|
|
24 |
|
|
25 |
None
|
|
26 |
|
|
27 |
**Features**
|
|
28 |
|
|
29 |
None
|
|
30 |
|
|
31 |
**Bug fixes**
|
|
32 |
|
|
33 |
None
|
|
34 |
|
| 0 | 35 |
Bleach changes
|
| 1 | 36 |
==============
|
| 2 | 37 |
|
|
| 75 | 110 |
|
| 76 | 111 |
* Fix ``list`` object has no attribute ``lower`` in ``clean``. (#398)
|
| 77 | 112 |
* Fix ``abbr`` getting escaped in ``linkify``. (#400)
|
| 78 | |
|
|
113 |
|
| 79 | 114 |
|
| 80 | 115 |
Version 3.0.0 (October 3rd, 2018)
|
| 81 | 116 |
---------------------------------
|
| 17 | 17 |
|
| 18 | 18 |
|
| 19 | 19 |
# yyyymmdd
|
| 20 | |
__releasedate__ = '20190109'
|
|
20 |
__releasedate__ = '20200213'
|
| 21 | 21 |
# x.y.z or x.y.z.dev0 -- semver
|
| 22 | |
__version__ = '3.1.0'
|
|
22 |
__version__ = '3.1.1'
|
| 23 | 23 |
VERSION = parse_version(__version__)
|
| 24 | 24 |
|
| 25 | 25 |
|
| 375 | 375 |
self.consume_entities = consume_entities
|
| 376 | 376 |
super(BleachHTMLParser, self).__init__(**kwargs)
|
| 377 | 377 |
|
| 378 | |
def _parse(self, stream, innerHTML=False, container='div', scripting=False, **kwargs):
|
|
378 |
def _parse(self, stream, innerHTML=False, container='div', scripting=True, **kwargs):
|
|
379 |
# set scripting=True to parse <noscript> as though JS is enabled to
|
|
380 |
# match the expected context in browsers
|
|
381 |
#
|
|
382 |
# https://html.spec.whatwg.org/multipage/scripting.html#the-noscript-element
|
|
383 |
#
|
| 379 | 384 |
# Override HTMLParser so we can swap out the tokenizer for our own.
|
| 380 | 385 |
self.innerHTMLMode = innerHTML
|
| 381 | 386 |
self.container = container
|
| 768 | 768 |
assert clean('<d {c}>') == '<d {c}>'
|
| 769 | 769 |
|
| 770 | 770 |
|
|
771 |
# tags that get content passed through (i.e. parsed with parseRCDataRawtext)
|
|
772 |
_raw_tags = [
|
|
773 |
"title",
|
|
774 |
"textarea",
|
|
775 |
"script",
|
|
776 |
"style",
|
|
777 |
"noembed",
|
|
778 |
"noframes",
|
|
779 |
"iframe",
|
|
780 |
"xmp",
|
|
781 |
]
|
|
782 |
|
|
783 |
@pytest.mark.parametrize(
|
|
784 |
"raw_tag, data, expected",
|
|
785 |
[
|
|
786 |
(
|
|
787 |
raw_tag,
|
|
788 |
"<noscript><%s></noscript><img src=x onerror=alert(1) />" % raw_tag,
|
|
789 |
"<noscript><%s></noscript><img src=x onerror=alert(1) />" % raw_tag,
|
|
790 |
)
|
|
791 |
for raw_tag in _raw_tags
|
|
792 |
],
|
|
793 |
)
|
|
794 |
def test_noscript_rawtag_(raw_tag, data, expected):
|
|
795 |
# refs: bug 1615315 / GHSA-q65m-pv3f-wr5r
|
|
796 |
assert clean(data, tags=["noscript", raw_tag]) == expected
|
|
797 |
|
|
798 |
|
| 771 | 799 |
def get_ids_and_tests():
|
| 772 | 800 |
"""Retrieves regression tests from data/ directory
|
| 773 | 801 |
|