chore: lxml >= 5.2.0 requires to explicitly install html_clean (!775) · Merge requests · cubicweb / cubicweb

Simon Chabot requested to merge topic/4.x/lxml-5-2-0-requires-to-explicitly-install-html-clean into branch/4.x Apr 02, 2024

cf https://pypi.org/project/lxml/5.2.0/

https://github.com/lxml/lxml/blob/master/CHANGES.txt

5.2.0 (2024-03-30)

LP#1958539: The lxml.html.clean implementation suffered from several (only if used) security issues in the past and was now extracted into a separate library:

https://github.com/fedora-python/lxml_html_clean

Projects that use lxml without "lxml.html.clean" will not notice any difference, except that they won't have potentially vulnerable code installed. The module is available as an "extra" setuptools dependency "lxml[html_clean]", so that Projects that need "lxml.html.clean" will need to switch their requirements from "lxml" to "lxml[html_clean]", or install the new library themselves.

Dans notre code :

# cubicweb/uilib.py

from lxml.html import defs, clean

CLEANER = clean.Cleaner(
    allow_tags=ALLOWED_TAGS,
    remove_unknown_tags=False,
    style=True,
    safe_attrs_only=True,
    add_nofollow=False,
)

Edited Apr 03, 2024 by Nicola Spanti

chore: lxml >= 5.2.0 requires to explicitly install html_clean

Merge request reports