fix: Prepare for the bleach 6.0.0 upgrad.

Changelog: https://bleach.readthedocs.io/en/latest/changes.html#version-6-0-0-january-23rd-2023

The major change is that the tags and protocols attributes and related
constants are expected to be sets rather than lists.

lms/djangoapps/discussion/rest_api/render.py

@@ -7,11 +7,11 @@ implemented in Markdown.Sanitizer.js.
 import bleach
 import markdown
 
-ALLOWED_TAGS = bleach.ALLOWED_TAGS + [
+ALLOWED_TAGS = bleach.ALLOWED_TAGS | {
     'br', 'dd', 'del', 'dl', 'dt', 'h1', 'h2', 'h3', 'h4', 'hr', 'img', 'kbd', 'p', 'pre', 's',
     'strike', 'sub', 'sup'
-]
-ALLOWED_PROTOCOLS = ["http", "https", "ftp", "mailto"]
+}
+ALLOWED_PROTOCOLS = {"http", "https", "ftp", "mailto"}
 ALLOWED_ATTRIBUTES = {
     "a": ["href", "title", "target", "rel"],
     "img": ["src", "alt", "title", "width", "height"],

lms/templates/courseware/progress_graph.js

@@ -74,7 +74,7 @@ $(function () {
       ## allowing the display of such images, and remove any previously stored HTML
       ## to prevent ugly HTML from being shown to learners.
       ## xss-lint: disable=javascript-jquery-append
-      ticks.append( [tickIndex, bleach.clean(section['label'], tags=[], strip=True)] )
+      ticks.append( [tickIndex, bleach.clean(section['label'], tags=set(), strip=True)] )
 
       if section['category'] in detail_tooltips:
           ## xss-lint: disable=javascript-jquery-append

openedx/core/djangolib/markup.py

@@ -53,7 +53,7 @@ def strip_all_tags_but_br(string_to_strip):
         string_to_strip = ""
 
     string_to_strip = decode.utf8(string_to_strip)
-    string_to_strip = bleach.clean(string_to_strip, tags=['br'], strip=True)
+    string_to_strip = bleach.clean(string_to_strip, tags={'br'}, strip=True)
 
     return HTML(string_to_strip)
 

requirements/constraints.txt

@@ -75,7 +75,3 @@ pyopenssl==22.0.0
 
 
 cryptography==38.0.4 # greater version has some issues with openssl.
-
-# These two constraints will be removed in this PR: https://github.com/openedx/edx-platform/pull/31678
-bleach[css]==5.0.1 # greater version has some breaking changes.
-openedx-django-wiki<2.0.0 # greater version needs bleech >6.0.0

xmodule/capa/util.py

@@ -191,8 +191,8 @@ def sanitize_html(html_code):
     })
     output = bleach.clean(
         html_code,
-        protocols=bleach.ALLOWED_PROTOCOLS + ['data'],
-        tags=bleach.ALLOWED_TAGS + ['div', 'p', 'audio', 'pre', 'img', 'span'],
+        protocols=bleach.ALLOWED_PROTOCOLS | {'data'},
+        tags=bleach.ALLOWED_TAGS | {'div', 'p', 'audio', 'pre', 'img', 'span'},
         css_sanitizer=CSSSanitizer(allowed_css_properties=["white-space"]),
         attributes=attributes
     )
@@ -216,12 +216,12 @@ def remove_markup(html):
     """
     Return html with markup stripped and text HTML-escaped.
 
-    >>> bleach.clean("<b>Rock & Roll</b>", tags=[], strip=True)
+    >>> bleach.clean("<b>Rock & Roll</b>", tags=set(), strip=True)
     'Rock &amp; Roll'
-    >>> bleach.clean("<b>Rock &amp; Roll</b>", tags=[], strip=True)
+    >>> bleach.clean("<b>Rock &amp; Roll</b>", tags=set(), strip=True)
     'Rock &amp; Roll'
     """
-    return HTML(bleach.clean(html, tags=[], strip=True))
+    return HTML(bleach.clean(html, tags=set(), strip=True))
 
 
 def get_course_id_from_capa_block(capa_block):