python · bleachHeads-up
Bleach fails to strip disallowed URI schemes with Unicode characters
Bleach's `bleach.clean` function fails to strip disallowed URI schemes when they contain Unicode characters (e.g., zero-width space), allowing URIs like `javasc
What changed
Bleach's `bleach.clean` function fails to strip disallowed URI schemes when they contain Unicode characters (e.g., zero-width space), allowing URIs like `javascript\u200b:alert(1)` to pass through. This breaks the protocol allowlist contract and could be exploited if downstream systems normalize Unicode.
Who it affects
Users of Bleach who allow `a` tags and `href` attributes in `bleach.clean`, especially those relying on the sanitizer to enforce a protocol allowlist.
What to do today
Upgrade to Bleach 6.4.0 or apply workaround: pre-process content to remove non-ASCII characters from URI schemes before sanitizing.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · bleach