-
Notifications
You must be signed in to change notification settings - Fork 974
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider switching from lxml's clean_html for enhanced security (and possibly performance) #558
Comments
Just an update on this. The latest version of If you want to continue using it, you can either depend on |
kylebgorman
added a commit
to kylebgorman/wikipron
that referenced
this issue
Apr 8, 2024
kylebgorman
added a commit
to CUNY-CL/wikipron
that referenced
this issue
Apr 9, 2024
* Fixes excessive line wrapping. * Adds changelog update. * Reruns with current `black`. * Adds lxml_html_clean dependency. For context, see: psf/requests-html#558 (comment) psf/requests-html#569 (comment) * [nan] Removes specialized selector. It seems that Min Nan has been totally removed from English Wiktionary. * updates changelog * Adds new dependency to pyproject.toml too.
tomkinsc
added a commit
to broadinstitute/viral-classify
that referenced
this issue
Aug 23, 2024
lxml-html-clean dependency since it currently breaks tests due to being migrated to a separate module. We're not currently using it, so omitting the import is fine. Should its functionality be needed again, the conda package "lxml-html-clean" will need to be installed. See: https://bugs.launchpad.net/lxml/+bug/1958539 psf/requests-html#558
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'd like to bring to your attention that we are discussing the possibility of removing lxml's clean_html functionality from lxml library. Over the past years, there have been several concerning security vulnerabilities discovered within the lxml library's clean_html functionality – CVE-2021-43818, CVE-2021-28957, CVE-2020-27783, CVE-2018-19787 and CVE-2014-3146.
The main problem is in the design. Because the lxml's clean_html functionality is based on a blocklist, it's hard to keep it up to date with all new possibilities in HTML and JS.
Two viable alternatives worth considering are
bleach
andnh3
. Here's why:bleach:
nh3:
We'll probably move the cleaning part of the lxml to a distinct project first so it will still be possible to use it but better is to find a suitable alternative sooner rather than later.
Let me know if we can help you with this transition anyhow and have a nice day.
The text was updated successfully, but these errors were encountered: