From de7d4ad95714ee3de12b2279cc4b1e24be8c09ea Mon Sep 17 00:00:00 2001
From: Arthur <worldnomad@gmail.com>
Date: Wed, 10 Jan 2024 13:33:27 -0800
Subject: [PATCH] 12851 replace bleach with nh3

---
 base_requirements.txt     |  8 ++++----
 netbox/utilities/utils.py | 18 +++++++++---------
 requirements.txt          |  2 +-
 3 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/base_requirements.txt b/base_requirements.txt
index 0c7e54b13..87a3066c4 100644
--- a/base_requirements.txt
+++ b/base_requirements.txt
@@ -1,7 +1,3 @@
-# HTML sanitizer
-# https://github.com/mozilla/bleach/blob/main/CHANGES
-bleach
-
 # The Python web framework on which NetBox is built
 # https://docs.djangoproject.com/en/stable/releases/
 Django<5.1
@@ -108,6 +104,10 @@ mkdocstrings[python-legacy]
 # https://github.com/netaddr/netaddr/blob/master/CHANGELOG
 netaddr
 
+# Python bindings to the ammonia HTML sanitization library.
+# https://github.com/messense/nh3
+nh3
+
 # Fork of PIL (Python Imaging Library) for image processing
 # https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst
 Pillow
diff --git a/netbox/utilities/utils.py b/netbox/utilities/utils.py
index f3f8c7c50..3fdf733b5 100644
--- a/netbox/utilities/utils.py
+++ b/netbox/utilities/utils.py
@@ -1,11 +1,11 @@
 import datetime
 import decimal
 import json
+import nh3
 import re
 from decimal import Decimal
 from itertools import count, groupby
 
-import bleach
 from django.contrib.contenttypes.models import ContentType
 from django.core import serializers
 from django.db.models import Count, ManyToOneRel, OuterRef, Subquery
@@ -522,19 +522,19 @@ def clean_html(html, schemes):
     }
 
     ALLOWED_ATTRIBUTES = {
-        "div": ['class'],
-        "h1": ["id"], "h2": ["id"], "h3": ["id"], "h4": ["id"], "h5": ["id"], "h6": ["id"],
-        "a": ["href", "title"],
-        "img": ["src", "title", "alt"],
-        "th": ["align"],
-        "td": ["align"],
+        "div": {'class'},
+        "h1": {"id"}, "h2": {"id"}, "h3": {"id"}, "h4": {"id"}, "h5": {"id"}, "h6": {"id"},
+        "a": {"href", "title"},
+        "img": {"src", "title", "alt"},
+        "th": {"align"},
+        "td": {"align"},
     }
 
-    return bleach.clean(
+    return nh3.clean(
         html,
         tags=ALLOWED_TAGS,
         attributes=ALLOWED_ATTRIBUTES,
-        protocols=schemes
+        url_schemes=set(schemes)
     )
 
 
diff --git a/requirements.txt b/requirements.txt
index 788a22f9c..cc733d4b9 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,3 @@
-bleach==6.1.0
 Django==5.0.1
 django-cors-headers==4.3.1
 django-debug-toolbar==4.2.0
@@ -24,6 +23,7 @@ Markdown==3.5.1
 mkdocs-material==9.5.3
 mkdocstrings[python-legacy]==0.24.0
 netaddr==0.9.0
+nh3==0.2.15
 Pillow==10.1.0
 psycopg[binary,pool]==3.1.16
 PyYAML==6.0.1