12851 replace bleach with nh3

2025-08-18 05:28:16 -06:00 · 2024-01-10 13:33:27 -08:00 · 2024-01-10 13:33:27 -08:00 · de7d4ad957
commit de7d4ad957
parent f8199339f5
3 changed files with 14 additions and 14 deletions
--- a/base_requirements.txt
+++ b/base_requirements.txt
@ -1,7 +1,3 @@
-# HTML sanitizer
-# https://github.com/mozilla/bleach/blob/main/CHANGES
-bleach
-
 # The Python web framework on which NetBox is built
 # https://docs.djangoproject.com/en/stable/releases/
 Django<5.1
@ -108,6 +104,10 @@ mkdocstrings[python-legacy]
 # https://github.com/netaddr/netaddr/blob/master/CHANGELOG
 netaddr

+# Python bindings to the ammonia HTML sanitization library.
+# https://github.com/messense/nh3
+nh3
+
 # Fork of PIL (Python Imaging Library) for image processing
 # https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst
 Pillow
--- a/netbox/utilities/utils.py
+++ b/netbox/utilities/utils.py
@ -1,11 +1,11 @@
 import datetime
 import decimal
 import json
+import nh3
 import re
 from decimal import Decimal
 from itertools import count, groupby

-import bleach
 from django.contrib.contenttypes.models import ContentType
 from django.core import serializers
 from django.db.models import Count, ManyToOneRel, OuterRef, Subquery
@ -522,19 +522,19 @@ def clean_html(html, schemes):
    }

    ALLOWED_ATTRIBUTES = {
-        "div": ['class'],
-        "h1": ["id"], "h2": ["id"], "h3": ["id"], "h4": ["id"], "h5": ["id"], "h6": ["id"],
-        "a": ["href", "title"],
-        "img": ["src", "title", "alt"],
-        "th": ["align"],
-        "td": ["align"],
+        "div": {'class'},
+        "h1": {"id"}, "h2": {"id"}, "h3": {"id"}, "h4": {"id"}, "h5": {"id"}, "h6": {"id"},
+        "a": {"href", "title"},
+        "img": {"src", "title", "alt"},
+        "th": {"align"},
+        "td": {"align"},
    }

-    return bleach.clean(
+    return nh3.clean(
        html,
        tags=ALLOWED_TAGS,
        attributes=ALLOWED_ATTRIBUTES,
-        protocols=schemes
+        url_schemes=set(schemes)
    )


--- a/requirements.txt
+++ b/requirements.txt
@ -1,4 +1,3 @@
-bleach==6.1.0
 Django==5.0.1
 django-cors-headers==4.3.1
 django-debug-toolbar==4.2.0
@ -24,6 +23,7 @@ Markdown==3.5.1
 mkdocs-material==9.5.3
 mkdocstrings[python-legacy]==0.24.0
 netaddr==0.9.0
+nh3==0.2.15
 Pillow==10.1.0
 psycopg[binary,pool]==3.1.16
 PyYAML==6.0.1