Skip to content

bleach dependency has been unmaintained since 2025-06-05 #19894

Description

@anoadragon453

Synapse relies on the bleach dependency to sanitise HTML for any email we send out:

def safe_markup(raw_html: str) -> Markup:
"""
Sanitise a raw HTML string to a set of allowed tags and attributes, and linkify any bare URLs.
Args
raw_html: Unsafe HTML.
Returns:
A Markup object ready to safely use in a Jinja template.
"""
return Markup(
bleach.linkify(
bleach.clean(
raw_html,
tags=ALLOWED_TAGS,
attributes=ALLOWED_ATTRS,
strip=True,
)
)
)
def safe_text(raw_text: str) -> Markup:
"""
Sanitise text (escape any HTML tags), and then linkify any bare URLs.
Args
raw_text: Unsafe text which might include HTML markup.
Returns:
A Markup object ready to safely use in a Jinja template.
"""
return Markup(
bleach.linkify(bleach.clean(raw_text, tags=[], attributes=[], strip=False))
)

It has been marked as unmaintained since 2025-06-05. We should find an alternative library to sanitise our HTML (and to double-check that what we're doing here is actually making a difference).

There are not currently any reported vulnerabilities with the library (v6.4.0 last month fixed three), but it's only a matter of time...

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions