DeprecationWarning: html5lib's sanitizer is deprecated

[Gpapidas]

Hello everyone,

I noticed that djangocms-text-ckeditor is requiring html5lib package which has a deprecated sanitizer.
html5lib recommends switching to bleach

Is this something known? Will there be a fix in a next version?

[mbi]

(Resuming discussion from #469)

After a first brief analysis, this looks considerably more complicated than simply swapping one function call to html5lib with another to bleach. Although bleach itself relies on html5lib, they have a significantly different API.

bleach itself uses html5lib at the moment but is considering forking it for much the same reasons.

Finally, html5lib seems to be used in several places throughout the plugin code, not just for sanitizing. It's unclear to me on whether you'd expect to entirely remove html5lib, or just the sanitizing portions?

All in all, maybe it'd be saner to wait for a decision from the bleach team on how they wish to handle html5lib and then either use their fork (if any is produced) or mimic / adapt what they'll chose to do.

[fsbraun]

@mbi Thanks so much for the analysis. I was not aware of the discussion to fork html5lib.

Since (for now at least) bleach depends on html5lib we could not remove the html5lib dependency anyway and I was expecting to keep both dependencies.

@marksweb What do you think?

[marksweb]

@fsbraun @mbi I'm happy to wait on a decision.

It'll also then help me consider changes I need to make to django-bleach 😂

[mbi]

Haven't tested it, and can't vouch for its security or capabilities, but html-sanitizer seems like a well-tested and well-supported alternative that doesn't use html5lib.

[gs1-rob-392]

bleach is deprecated: mozilla/bleach#698

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[mavoIn]

https://ckeditor.com/docs/ckeditor5/latest/updating/ckeditor4/migration-from-ckeditor-4.html

end of life for ckeditor v4 was in June 23.

[corentinbettiol]

We need to remove html5lib and use html-sanitizer instead.

[MacLake]

When checking out the deprecation messages of my djangoCMS project, I noticed that djangocms-text-ckeditor still uses html5lib, so I ended up here.

In an issue on the bleach project, switching to nh3 is recommended, nh3 provides Python bindings to the Rust project ammonia (took some time to notice that NH_3 is the chemical formula of ammonia). I’ve been using it for a while without any problems. The only thing is: You can’t sanitize CSS selectively. But it seems that html-sanitizer doesn’t allow any inline styles at all. Anyway, that would be another option instead of using html-sanitizer.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[MacLake]

This is the activity bot, the counterpart of the stale bot, reminding that this issue is still relevant!