diff --git a/lms/djangoapps/discussion/rest_api/render.py b/lms/djangoapps/discussion/rest_api/render.py
index fb302423c8..44e2d8b692 100644
--- a/lms/djangoapps/discussion/rest_api/render.py
+++ b/lms/djangoapps/discussion/rest_api/render.py
@@ -7,11 +7,11 @@ implemented in Markdown.Sanitizer.js.
import bleach
import markdown
-ALLOWED_TAGS = bleach.ALLOWED_TAGS + [
+ALLOWED_TAGS = bleach.ALLOWED_TAGS | {
'br', 'dd', 'del', 'dl', 'dt', 'h1', 'h2', 'h3', 'h4', 'hr', 'img', 'kbd', 'p', 'pre', 's',
'strike', 'sub', 'sup'
-]
-ALLOWED_PROTOCOLS = ["http", "https", "ftp", "mailto"]
+}
+ALLOWED_PROTOCOLS = {"http", "https", "ftp", "mailto"}
ALLOWED_ATTRIBUTES = {
"a": ["href", "title", "target", "rel"],
"img": ["src", "alt", "title", "width", "height"],
diff --git a/lms/templates/courseware/progress_graph.js b/lms/templates/courseware/progress_graph.js
index d2a10e511f..5a1d64c36e 100644
--- a/lms/templates/courseware/progress_graph.js
+++ b/lms/templates/courseware/progress_graph.js
@@ -74,7 +74,7 @@ $(function () {
## allowing the display of such images, and remove any previously stored HTML
## to prevent ugly HTML from being shown to learners.
## xss-lint: disable=javascript-jquery-append
- ticks.append( [tickIndex, bleach.clean(section['label'], tags=[], strip=True)] )
+ ticks.append( [tickIndex, bleach.clean(section['label'], tags=set(), strip=True)] )
if section['category'] in detail_tooltips:
## xss-lint: disable=javascript-jquery-append
diff --git a/openedx/core/djangolib/markup.py b/openedx/core/djangolib/markup.py
index 8dd5e3699e..3009f1d53f 100644
--- a/openedx/core/djangolib/markup.py
+++ b/openedx/core/djangolib/markup.py
@@ -53,7 +53,7 @@ def strip_all_tags_but_br(string_to_strip):
string_to_strip = ""
string_to_strip = decode.utf8(string_to_strip)
- string_to_strip = bleach.clean(string_to_strip, tags=['br'], strip=True)
+ string_to_strip = bleach.clean(string_to_strip, tags={'br'}, strip=True)
return HTML(string_to_strip)
diff --git a/requirements/constraints.txt b/requirements/constraints.txt
index 135989601f..0d7c360cca 100644
--- a/requirements/constraints.txt
+++ b/requirements/constraints.txt
@@ -75,7 +75,3 @@ pyopenssl==22.0.0
cryptography==38.0.4 # greater version has some issues with openssl.
-
-# These two constraints will be removed in this PR: https://github.com/openedx/edx-platform/pull/31678
-bleach[css]==5.0.1 # greater version has some breaking changes.
-openedx-django-wiki<2.0.0 # greater version needs bleech >6.0.0
diff --git a/requirements/edx/base.txt b/requirements/edx/base.txt
index c730329027..8696880dcb 100644
--- a/requirements/edx/base.txt
+++ b/requirements/edx/base.txt
@@ -60,9 +60,8 @@ beautifulsoup4==4.11.2
# via pynliner
billiard==3.6.4.0
# via celery
-bleach[css]==5.0.1
+bleach[css]==6.0.0
# via
- # -c requirements/edx/../constraints.txt
# -r requirements/edx/base.in
# edx-enterprise
# lti-consumer-xblock
@@ -667,7 +666,7 @@ libsass==0.10.0
# ora2
loremipsum==1.0.5
# via ora2
-lti-consumer-xblock==7.3.0
+lti-consumer-xblock==8.0.0
# via -r requirements/edx/base.in
lxml==4.9.2
# via
@@ -757,10 +756,8 @@ openedx-calc==3.0.1
# via -r requirements/edx/base.in
openedx-django-pyfs==3.2.1
# via xblock
-openedx-django-wiki==1.1.4
- # via
- # -c requirements/edx/../constraints.txt
- # -r requirements/edx/base.in
+openedx-django-wiki==2.0.0
+ # via -r requirements/edx/base.in
openedx-events==4.2.0
# via
# -r requirements/edx/base.in
@@ -771,7 +768,7 @@ openedx-filters==1.0.0
# lti-consumer-xblock
optimizely-sdk==4.1.0
# via -r requirements/edx/base.in
-ora2==4.5.1
+ora2==5.0.0
# via -r requirements/edx/base.in
oscrypto==1.3.0
# via snowflake-connector-python
@@ -1177,7 +1174,7 @@ xblock[django]==1.6.2
# xblock-google-drive
# xblock-poll
# xblock-utils
-xblock-drag-and-drop-v2==3.0.0
+xblock-drag-and-drop-v2==3.1.0
# via -r requirements/edx/base.in
xblock-google-drive==0.3.0
# via -r requirements/edx/base.in
diff --git a/requirements/edx/development.txt b/requirements/edx/development.txt
index 0aff31b0d5..5218e0b273 100644
--- a/requirements/edx/development.txt
+++ b/requirements/edx/development.txt
@@ -94,9 +94,8 @@ billiard==3.6.4.0
# via
# -r requirements/edx/testing.txt
# celery
-bleach[css]==5.0.1
+bleach[css]==6.0.0
# via
- # -c requirements/edx/../constraints.txt
# -r requirements/edx/testing.txt
# edx-enterprise
# lti-consumer-xblock
@@ -892,7 +891,7 @@ loremipsum==1.0.5
# via
# -r requirements/edx/testing.txt
# ora2
-lti-consumer-xblock==7.3.0
+lti-consumer-xblock==8.0.0
# via -r requirements/edx/testing.txt
lxml==4.9.2
# via
@@ -1004,10 +1003,8 @@ openedx-django-pyfs==3.2.1
# via
# -r requirements/edx/testing.txt
# xblock
-openedx-django-wiki==1.1.4
- # via
- # -c requirements/edx/../constraints.txt
- # -r requirements/edx/testing.txt
+openedx-django-wiki==2.0.0
+ # via -r requirements/edx/testing.txt
openedx-events==4.2.0
# via
# -r requirements/edx/testing.txt
@@ -1018,7 +1015,7 @@ openedx-filters==1.0.0
# lti-consumer-xblock
optimizely-sdk==4.1.0
# via -r requirements/edx/testing.txt
-ora2==4.5.1
+ora2==5.0.0
# via -r requirements/edx/testing.txt
oscrypto==1.3.0
# via
@@ -1689,7 +1686,7 @@ xblock[django]==1.6.2
# xblock-google-drive
# xblock-poll
# xblock-utils
-xblock-drag-and-drop-v2==3.0.0
+xblock-drag-and-drop-v2==3.1.0
# via -r requirements/edx/testing.txt
xblock-google-drive==0.3.0
# via -r requirements/edx/testing.txt
diff --git a/requirements/edx/pip.txt b/requirements/edx/pip.txt
index 1663bcd84b..d3d8f5af35 100644
--- a/requirements/edx/pip.txt
+++ b/requirements/edx/pip.txt
@@ -4,9 +4,11 @@
#
# make upgrade
#
-pip==23.0
- # via -r requirements/edx/pip.in
-setuptools==67.0.0
- # via -r requirements/edx/pip.in
wheel==0.38.4
# via -r requirements/edx/pip.in
+
+# The following packages are considered to be unsafe in a requirements file:
+pip==23.0
+ # via -r requirements/edx/pip.in
+setuptools==67.1.0
+ # via -r requirements/edx/pip.in
diff --git a/requirements/edx/testing.txt b/requirements/edx/testing.txt
index 160af22e18..2646c73803 100644
--- a/requirements/edx/testing.txt
+++ b/requirements/edx/testing.txt
@@ -66,7 +66,6 @@ attrs==22.2.0
# jsonschema
# lti-consumer-xblock
# openedx-events
- # outcome
# pytest
babel==2.11.0
# via
@@ -90,9 +89,8 @@ billiard==3.6.4.0
# via
# -r requirements/edx/base.txt
# celery
-bleach[css]==5.0.1
+bleach[css]==6.0.0
# via
- # -c requirements/edx/../constraints.txt
# -r requirements/edx/base.txt
# edx-enterprise
# lti-consumer-xblock
@@ -850,7 +848,7 @@ loremipsum==1.0.5
# via
# -r requirements/edx/base.txt
# ora2
-lti-consumer-xblock==7.3.0
+lti-consumer-xblock==8.0.0
# via -r requirements/edx/base.txt
lxml==4.9.2
# via
@@ -955,10 +953,8 @@ openedx-django-pyfs==3.2.1
# via
# -r requirements/edx/base.txt
# xblock
-openedx-django-wiki==1.1.4
- # via
- # -c requirements/edx/../constraints.txt
- # -r requirements/edx/base.txt
+openedx-django-wiki==2.0.0
+ # via -r requirements/edx/base.txt
openedx-events==4.2.0
# via
# -r requirements/edx/base.txt
@@ -969,7 +965,7 @@ openedx-filters==1.0.0
# lti-consumer-xblock
optimizely-sdk==4.1.0
# via -r requirements/edx/base.txt
-ora2==4.5.1
+ora2==5.0.0
# via -r requirements/edx/base.txt
oscrypto==1.3.0
# via
@@ -1562,7 +1558,7 @@ xblock[django]==1.6.2
# xblock-google-drive
# xblock-poll
# xblock-utils
-xblock-drag-and-drop-v2==3.0.0
+xblock-drag-and-drop-v2==3.1.0
# via -r requirements/edx/base.txt
xblock-google-drive==0.3.0
# via -r requirements/edx/base.txt
diff --git a/xmodule/capa/util.py b/xmodule/capa/util.py
index 66e7b12390..ada0818a39 100644
--- a/xmodule/capa/util.py
+++ b/xmodule/capa/util.py
@@ -191,8 +191,8 @@ def sanitize_html(html_code):
})
output = bleach.clean(
html_code,
- protocols=bleach.ALLOWED_PROTOCOLS + ['data'],
- tags=bleach.ALLOWED_TAGS + ['div', 'p', 'audio', 'pre', 'img', 'span'],
+ protocols=bleach.ALLOWED_PROTOCOLS | {'data'},
+ tags=bleach.ALLOWED_TAGS | {'div', 'p', 'audio', 'pre', 'img', 'span'},
css_sanitizer=CSSSanitizer(allowed_css_properties=["white-space"]),
attributes=attributes
)
@@ -216,12 +216,12 @@ def remove_markup(html):
"""
Return html with markup stripped and text HTML-escaped.
- >>> bleach.clean("Rock & Roll", tags=[], strip=True)
+ >>> bleach.clean("Rock & Roll", tags=set(), strip=True)
'Rock & Roll'
- >>> bleach.clean("Rock & Roll", tags=[], strip=True)
+ >>> bleach.clean("Rock & Roll", tags=set(), strip=True)
'Rock & Roll'
"""
- return HTML(bleach.clean(html, tags=[], strip=True))
+ return HTML(bleach.clean(html, tags=set(), strip=True))
def get_course_id_from_capa_block(capa_block):