MIT-LCP
Upgrade to latest bleach and/or something else
We're using what is now a rather outdated version of Bleach, and the future of Bleach itself doesn't look great.
I don't know of any existing security issues that would affect us. But in the short term we should upgrade to Bleach 6.x, and in the long term look for an alternative that has solid upstream support.
The great thing about Bleach 3.x is that its configuration format is almost identical to ckeditor's, particularly in regard to CSS. Bleach 5.x changed this, so sanitizing CSS is more complicated and it's not trivial to upgrade.
The chief alternative to bleach that seems to be recommended is ammonia, and that apparently doesn't have any support for sanitizing CSS (?!)
Our needs for handling CSS are pretty minimal, but still this is annoying.
I guess you've seen, but it looks like there is a Python wrapper for Ammonia (which is Rust): https://nh3.readthedocs.io/en/latest/
I assume the sanitization functions are only used for content submitted through CKEditor? I'd always assumed that we didn't support CSS in CKEditor content. Do we need to support CSS?
