chore: lxml >= 5.2.0 requires to explicitly install html_clean
cf https://pypi.org/project/lxml/5.2.0/
https://github.com/lxml/lxml/blob/master/CHANGES.txt
5.2.0 (2024-03-30)
LP#1958539: The
lxml.html.clean
implementation suffered from several (only if used) security issues in the past and was now extracted into a separate library:https://github.com/fedora-python/lxml_html_clean
Projects that use lxml without "lxml.html.clean" will not notice any difference, except that they won't have potentially vulnerable code installed. The module is available as an "extra" setuptools dependency "lxml[html_clean]", so that Projects that need "lxml.html.clean" will need to switch their requirements from "lxml" to "lxml[html_clean]", or install the new library themselves.
Dans notre code :
# cubicweb/uilib.py
from lxml.html import defs, clean
CLEANER = clean.Cleaner(
allow_tags=ALLOWED_TAGS,
remove_unknown_tags=False,
style=True,
safe_attrs_only=True,
add_nofollow=False,
)