RFE: drop use bleach as this module s marked as deprecated

[kloczek]

bleach is deprecated; statement on project going forward (2023-01-23) mozilla/bleach#698

[kloczek]

[tkloczko@pers-jacek nbconvert-7.2.9]$ grep bleach -wr *
CHANGELOG.md:- Replace lxml.html.clean_html with bleach; drop lxml dependency by
CHANGELOG.md:- Support bleach 5, add packaging and tinycss2 dependencies by
nbconvert/filters/strings.py:import bleach
nbconvert/filters/strings.py:    return bleach.clean(
nbconvert/filters/strings.py:        tags=[*bleach.ALLOWED_TAGS, *ALLOWED_SVG_TAGS, "div", "pre", "code", "span"],
nbconvert/filters/strings.py:            **bleach.ALLOWED_ATTRIBUTES,
nbconvert/filters/svg_constants.py:# Quoth the migration guide (https://github.com/mozilla/bleach/blob/main/docs/migrating.rst#different-allow-lists):
nbconvert/filters/svg_constants.py:#       See https://github.com/mozilla/bleach/issues/362
nbconvert/preprocessors/sanitize.py:from bleach import ALLOWED_ATTRIBUTES, ALLOWED_TAGS, clean
nbconvert/preprocessors/sanitize.py:    # bleach[css] >=5.0
nbconvert/preprocessors/sanitize.py:    from bleach.css_sanitizer import ALLOWED_CSS_PROPERTIES as ALLOWED_STYLES
nbconvert/preprocessors/sanitize.py:    from bleach.css_sanitizer import CSSSanitizer
nbconvert/preprocessors/sanitize.py:        # bleach <5
nbconvert/preprocessors/sanitize.py:        from bleach import ALLOWED_STYLES  # type:ignore
nbconvert/preprocessors/sanitize.py:            "Support for bleach <5 will be removed in a future version of nbconvert",
nbconvert/preprocessors/sanitize.py:            "The installed bleach/tinycss2 do not provide CSS sanitization, "
nbconvert/preprocessors/sanitize.py:            "please upgrade to bleach >=5",

[kloczek]

There are some examples of replacing bleach by nh3 netbox-community/netbox#14767

[blink1073]

Unfortunately nh3 does not sanitize css.

[kloczek]

So probably only alternative could be lxlm? 🤔 #1892
Revert #1854? 🤔

[blink1073]

They removed clean_html from lxml and stated that it was not safe: https://github.com/fedora-python/lxml_html_clean

[kloczek]

OK that could possible migration to? 🤔
If yes maybe I should I try prepare for that by trying package in my distro lxml-html-clean? 😋

[blink1073]

I don't want to switch to something that is explicitly marked as unsafe. Bleach is still getting security releases, I don't see a reason to switch anything at this time.

[kloczek]

Sooner or later some replacement needs to be found as more and more other modules are dropping using bleach.
Quite quickly it will be less and less eyeballs to watch that modules security aspects.
In my distro I have ATM packaged +1.25k python modules as rpm packages. After deprecation announcement number of modules still using bleach dropped from 12 to 3 in first two weeks.
Now in that small population nbconvert is only remaining module 🤔

[blink1073]

I've stated my position. I'm unsubscribing from this issue.