Merge pull request #31678 from openedx/feanil/upgrade_bleach

feanil/upgrade bleach

lms/djangoapps/discussion/rest_api/render.py

@@ -7,11 +7,11 @@ implemented in Markdown.Sanitizer.js.
 import bleach
 import markdown
 
-ALLOWED_TAGS = bleach.ALLOWED_TAGS + [
+ALLOWED_TAGS = bleach.ALLOWED_TAGS | {
     'br', 'dd', 'del', 'dl', 'dt', 'h1', 'h2', 'h3', 'h4', 'hr', 'img', 'kbd', 'p', 'pre', 's',
     'strike', 'sub', 'sup'
-]
-ALLOWED_PROTOCOLS = ["http", "https", "ftp", "mailto"]
+}
+ALLOWED_PROTOCOLS = {"http", "https", "ftp", "mailto"}
 ALLOWED_ATTRIBUTES = {
     "a": ["href", "title", "target", "rel"],
     "img": ["src", "alt", "title", "width", "height"],

lms/templates/courseware/progress_graph.js

@@ -74,7 +74,7 @@ $(function () {
       ## allowing the display of such images, and remove any previously stored HTML
       ## to prevent ugly HTML from being shown to learners.
       ## xss-lint: disable=javascript-jquery-append
-      ticks.append( [tickIndex, bleach.clean(section['label'], tags=[], strip=True)] )
+      ticks.append( [tickIndex, bleach.clean(section['label'], tags=set(), strip=True)] )
 
       if section['category'] in detail_tooltips:
           ## xss-lint: disable=javascript-jquery-append

openedx/core/djangolib/markup.py

@@ -53,7 +53,7 @@ def strip_all_tags_but_br(string_to_strip):
         string_to_strip = ""
 
     string_to_strip = decode.utf8(string_to_strip)
-    string_to_strip = bleach.clean(string_to_strip, tags=['br'], strip=True)
+    string_to_strip = bleach.clean(string_to_strip, tags={'br'}, strip=True)
 
     return HTML(string_to_strip)
 

requirements/constraints.txt

@@ -75,7 +75,3 @@ pyopenssl==22.0.0
 
 
 cryptography==38.0.4 # greater version has some issues with openssl.
-
-# These two constraints will be removed in this PR: https://github.com/openedx/edx-platform/pull/31678
-bleach[css]==5.0.1 # greater version has some breaking changes.
-openedx-django-wiki<2.0.0 # greater version needs bleech >6.0.0

requirements/edx/base.txt

@@ -60,9 +60,8 @@ beautifulsoup4==4.11.2
     # via pynliner
 billiard==3.6.4.0
     # via celery
-bleach[css]==5.0.1
+bleach[css]==6.0.0
     # via
-    #   -c requirements/edx/../constraints.txt
     #   -r requirements/edx/base.in
     #   edx-enterprise
     #   lti-consumer-xblock
@@ -667,7 +666,7 @@ libsass==0.10.0
     #   ora2
 loremipsum==1.0.5
     # via ora2
-lti-consumer-xblock==7.3.0
+lti-consumer-xblock==8.0.0
     # via -r requirements/edx/base.in
 lxml==4.9.2
     # via
@@ -757,10 +756,8 @@ openedx-calc==3.0.1
     # via -r requirements/edx/base.in
 openedx-django-pyfs==3.2.1
     # via xblock
-openedx-django-wiki==1.1.4
-    # via
-    #   -c requirements/edx/../constraints.txt
-    #   -r requirements/edx/base.in
+openedx-django-wiki==2.0.0
+    # via -r requirements/edx/base.in
 openedx-events==4.2.0
     # via
     #   -r requirements/edx/base.in
@@ -771,7 +768,7 @@ openedx-filters==1.0.0
     #   lti-consumer-xblock
 optimizely-sdk==4.1.0
     # via -r requirements/edx/base.in
-ora2==4.5.1
+ora2==5.0.0
     # via -r requirements/edx/base.in
 oscrypto==1.3.0
     # via snowflake-connector-python
@@ -1177,7 +1174,7 @@ xblock[django]==1.6.2
     #   xblock-google-drive
     #   xblock-poll
     #   xblock-utils
-xblock-drag-and-drop-v2==3.0.0
+xblock-drag-and-drop-v2==3.1.0
     # via -r requirements/edx/base.in
 xblock-google-drive==0.3.0
     # via -r requirements/edx/base.in

requirements/edx/development.txt

@@ -94,9 +94,8 @@ billiard==3.6.4.0
     # via
     #   -r requirements/edx/testing.txt
     #   celery
-bleach[css]==5.0.1
+bleach[css]==6.0.0
     # via
-    #   -c requirements/edx/../constraints.txt
     #   -r requirements/edx/testing.txt
     #   edx-enterprise
     #   lti-consumer-xblock
@@ -892,7 +891,7 @@ loremipsum==1.0.5
     # via
     #   -r requirements/edx/testing.txt
     #   ora2
-lti-consumer-xblock==7.3.0
+lti-consumer-xblock==8.0.0
     # via -r requirements/edx/testing.txt
 lxml==4.9.2
     # via
@@ -1004,10 +1003,8 @@ openedx-django-pyfs==3.2.1
     # via
     #   -r requirements/edx/testing.txt
     #   xblock
-openedx-django-wiki==1.1.4
-    # via
-    #   -c requirements/edx/../constraints.txt
-    #   -r requirements/edx/testing.txt
+openedx-django-wiki==2.0.0
+    # via -r requirements/edx/testing.txt
 openedx-events==4.2.0
     # via
     #   -r requirements/edx/testing.txt
@@ -1018,7 +1015,7 @@ openedx-filters==1.0.0
     #   lti-consumer-xblock
 optimizely-sdk==4.1.0
     # via -r requirements/edx/testing.txt
-ora2==4.5.1
+ora2==5.0.0
     # via -r requirements/edx/testing.txt
 oscrypto==1.3.0
     # via
@@ -1689,7 +1686,7 @@ xblock[django]==1.6.2
     #   xblock-google-drive
     #   xblock-poll
     #   xblock-utils
-xblock-drag-and-drop-v2==3.0.0
+xblock-drag-and-drop-v2==3.1.0
     # via -r requirements/edx/testing.txt
 xblock-google-drive==0.3.0
     # via -r requirements/edx/testing.txt

requirements/edx/pip.txt

@@ -4,9 +4,11 @@
 #
 #    make upgrade
 #
-pip==23.0
-    # via -r requirements/edx/pip.in
-setuptools==67.0.0
-    # via -r requirements/edx/pip.in
 wheel==0.38.4
     # via -r requirements/edx/pip.in
+
+# The following packages are considered to be unsafe in a requirements file:
+pip==23.0
+    # via -r requirements/edx/pip.in
+setuptools==67.1.0
+    # via -r requirements/edx/pip.in

requirements/edx/testing.txt

@@ -66,7 +66,6 @@ attrs==22.2.0
     #   jsonschema
     #   lti-consumer-xblock
     #   openedx-events
-    #   outcome
     #   pytest
 babel==2.11.0
     # via
@@ -90,9 +89,8 @@ billiard==3.6.4.0
     # via
     #   -r requirements/edx/base.txt
     #   celery
-bleach[css]==5.0.1
+bleach[css]==6.0.0
     # via
-    #   -c requirements/edx/../constraints.txt
     #   -r requirements/edx/base.txt
     #   edx-enterprise
     #   lti-consumer-xblock
@@ -850,7 +848,7 @@ loremipsum==1.0.5
     # via
     #   -r requirements/edx/base.txt
     #   ora2
-lti-consumer-xblock==7.3.0
+lti-consumer-xblock==8.0.0
     # via -r requirements/edx/base.txt
 lxml==4.9.2
     # via
@@ -955,10 +953,8 @@ openedx-django-pyfs==3.2.1
     # via
     #   -r requirements/edx/base.txt
     #   xblock
-openedx-django-wiki==1.1.4
-    # via
-    #   -c requirements/edx/../constraints.txt
-    #   -r requirements/edx/base.txt
+openedx-django-wiki==2.0.0
+    # via -r requirements/edx/base.txt
 openedx-events==4.2.0
     # via
     #   -r requirements/edx/base.txt
@@ -969,7 +965,7 @@ openedx-filters==1.0.0
     #   lti-consumer-xblock
 optimizely-sdk==4.1.0
     # via -r requirements/edx/base.txt
-ora2==4.5.1
+ora2==5.0.0
     # via -r requirements/edx/base.txt
 oscrypto==1.3.0
     # via
@@ -1562,7 +1558,7 @@ xblock[django]==1.6.2
     #   xblock-google-drive
     #   xblock-poll
     #   xblock-utils
-xblock-drag-and-drop-v2==3.0.0
+xblock-drag-and-drop-v2==3.1.0
     # via -r requirements/edx/base.txt
 xblock-google-drive==0.3.0
     # via -r requirements/edx/base.txt

xmodule/capa/util.py

@@ -191,8 +191,8 @@ def sanitize_html(html_code):
     })
     output = bleach.clean(
         html_code,
-        protocols=bleach.ALLOWED_PROTOCOLS + ['data'],
-        tags=bleach.ALLOWED_TAGS + ['div', 'p', 'audio', 'pre', 'img', 'span'],
+        protocols=bleach.ALLOWED_PROTOCOLS | {'data'},
+        tags=bleach.ALLOWED_TAGS | {'div', 'p', 'audio', 'pre', 'img', 'span'},
         css_sanitizer=CSSSanitizer(allowed_css_properties=["white-space"]),
         attributes=attributes
     )
@@ -216,12 +216,12 @@ def remove_markup(html):
     """
     Return html with markup stripped and text HTML-escaped.
 
-    >>> bleach.clean("<b>Rock & Roll</b>", tags=[], strip=True)
+    >>> bleach.clean("<b>Rock & Roll</b>", tags=set(), strip=True)
     'Rock &amp; Roll'
-    >>> bleach.clean("<b>Rock &amp; Roll</b>", tags=[], strip=True)
+    >>> bleach.clean("<b>Rock &amp; Roll</b>", tags=set(), strip=True)
     'Rock &amp; Roll'
     """
-    return HTML(bleach.clean(html, tags=[], strip=True))
+    return HTML(bleach.clean(html, tags=set(), strip=True))
 
 
 def get_course_id_from_capa_block(capa_block):