bleach is deprecated; statement on project going forward (2023-01-23)

[willkg]

Summary

As of now, Bleach is deprecated.

We will continue to support Bleach:

1. security updates
2. support for new Python versions
3. fixes for egregious bugs

I figure that's one release a year or something like that.

Why?

Bleach sits on top of--and heavily relies on--html5lib which is no longer in active development. It is increasingly difficult to maintain Bleach in that context and I think it's nuts to build a security library on top of a library that's not in active development. There are some options (switch to something else, take over html5lib, etc), I don't particularly like any of them. I think instead, someone new should explore the options with a brand new library and a fresh start.

[hugovk]

Thank you for all your work on Bleach, and for announcing this clearly and with plenty of notice!

[Lukas-J]

Hi @willkg ,
It seems there is some activity going on in html5lib. So maybe not all hope is lost for bleach. Is there any way it could become un-deprecated sometime?

If not, I'm struggling finding a suitable replacement for bleach to be honest. Does someone have recommendations to safely sanitize html user input?

Cheers!