[Python-modules-team] Bug#951907: Suggested Stable Fix

Salvatore Bonaccorso carnil at debian.org
Thu Feb 27 12:41:44 GMT 2020


Hi,

On Thu, Feb 27, 2020 at 01:18:55PM +0100, Salvatore Bonaccorso wrote:
> I think though we mgiht need to revisit the assessment that older
> versions are not affected. Look at the this quick and dirty test
> deduced from the testsuite:

So I think versions before are as well vulnerable but a fix will
become not so easy. First back in b07814e0753c ("Extract all html5lib
things into a shim module") in v3.0.0 did split some code from
bleach.sanitizer to bleach.html5lib_shim, and before in 67afdf8ae7d3
("Prevent HTMLTokenizer from unescaping entities") in v2.1 was quite
refactored.

Now I'm not entirely sure how we should fix that for stretch.

Regards,
Salvatore



More information about the Python-modules-team mailing list