Skip to content

feat: use nh3 for HTML sanitization#10264

Open
nouralmaa wants to merge 22 commits intoietf-tools:mainfrom
nouralmaa:replace-bleach-nh3
Open

feat: use nh3 for HTML sanitization#10264
nouralmaa wants to merge 22 commits intoietf-tools:mainfrom
nouralmaa:replace-bleach-nh3

Conversation

@nouralmaa
Copy link
Contributor

@nouralmaa nouralmaa commented Jan 15, 2026
edited
Loading

fixes #10138

nouralmaa
nouralmaa commented Jan 15, 2026
View reviewed changes
ietf/utils/html.py Outdated
# Allow the protocols/tags/attributes we specifically want, plus anything that nh3 declares
# to be safe.

acceptable_protocols = nh3.ALLOWED_URL_SCHEMES.union(
Copy link
Contributor Author

@nouralmaa nouralmaa Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO check. this is more permissive than bleach's strict superset. however, unsure if this adds extra vulnerabilities since nh3 uses a better maintained parser https://github.com/rust-ammonia/ammonia

Copy link
Contributor Author

@nouralmaa nouralmaa Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jennifer-richards @rjsparks any thoughts?

Copy link
Member

@rjsparks rjsparks Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm going to try to get a few other eyes on this

Copy link
Collaborator

@larseggert larseggert Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think adding tel: and ftp: (really?) are fine from a security perspective.

Copy link
Contributor

@martinthomson martinthomson Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't really need ftp, but tel might be useful.

@codecov
Copy link

codecov bot commented Jan 15, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 92.18750% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 88.39%. Comparing base (c0115c9) to head (cbbd096).
⚠️ Report is 32 commits behind head on main.

Files with missing lines Patch % Lines
ietf/utils/markdown.py 89.36% 5 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #10264      +/-   ##
==========================================
- Coverage   88.57%   88.39%   -0.18%     
==========================================
  Files         317      325       +8     
  Lines       42544    43544    +1000     
==========================================
+ Hits        37682    38492     +810     
- Misses       4862     5052     +190

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

martinthomson
martinthomson reviewed Jan 18, 2026
View reviewed changes
ietf/utils/html.py Outdated
"li", "ol", "p", "pre", "q", "s", "samp", "small", "span", "strike", "style",
"li", "ol", "p", "pre", "q", "s", "samp", "small", "span", "strike",
"strong", "sub", "sup", "table", "title", "tbody", "td", "tfoot", "th", "thead",
"tr", "tt", "u", "ul", "var"
Copy link
Contributor

@martinthomson martinthomson Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

xmp is also good

Suggested change
"tr", "tt", "u", "ul", "var"
"tr", "tt", "u", "ul", "var", "xmp"

ietf/utils/html.py Outdated
# to be safe.

acceptable_protocols = nh3.ALLOWED_URL_SCHEMES.union(
{"http", "https", "mailto", "ftp", "xmpp"}
Copy link
Contributor

@martinthomson martinthomson Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
{"http", "https", "mailto", "ftp", "xmpp"}
{"ftp", "http", "https", "mailto", "tel", "xmpp"}

Sort. Add "tel".

(If performance is dictated by order, move "https" to the top.)

ietf/utils/html.py Outdated
protocols=acceptable_protocols,
strip=True,
url_schemes=acceptable_protocols,
link_rel=None
Copy link
Contributor

@martinthomson martinthomson Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't seem right to me. The default value is safer. Are there cases where links opened will need window.opener? I can't imagine that being necessary for user-generated content.

Same below.

Copy link
Contributor Author

@nouralmaa nouralmaa Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cool, changed it here as there were no rel attributes before

ietf/utils/html.py Outdated
protocols=acceptable_protocols,
strip=True,
_liberal_nh3_cleaner = nh3.Cleaner(
tags=acceptable_tags.union({"mg", "figure", "figcaption"}),
Copy link
Contributor

@martinthomson martinthomson Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo?

Suggested change
tags=acceptable_tags.union({"mg", "figure", "figcaption"}),
tags=acceptable_tags.union({"img", "figure", "figcaption"}),

ietf/utils/html.py
"""Returns the given HTML sanitized, and with the given tags removed."""
allowed = acceptable_tags - set(t.lower() for t in tags)
return bleach.clean(html, tags=allowed, strip=True)
return nh3.clean(html, tags=allowed)
Copy link
Contributor

@martinthomson martinthomson Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You might want to audit invocations of this function.

Jason-123-cyber

This comment was marked as spam.

Sign in to view

@rjsparks
Copy link
Member

rjsparks commented Jan 30, 2026
edited
Loading

Hi @nouralmaa - Thanks for continuing to work on this.

One point on something that's not obvious - commits bf72278 and 9736b74 touch an old data migration (see the filename) - those will never run again, and its better to not touch these migration files as they should show what happened when they actually ran on the production database. If it's easy, please revert those commits. If it's not, we'll do it when this gets towards final review.

When we have major changes to django (we may have one coming with django5) we tend to squash the migrations and that one would go away at that time.

nouralmaa
nouralmaa commented Jan 30, 2026
View reviewed changes
ietf/utils/templatetags/tests.py
'<a href="https://www.ietf.org" rel="nofollow">https://www.ietf.org</a>',
)
self.assertEqual(
linkify("https://mailman3.ietf.org/mailman3/lists/[email protected]/"),
Copy link
Contributor Author

@nouralmaa nouralmaa Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixes #10120

Image

@nouralmaa nouralmaa marked this pull request as ready for review January 30, 2026 19:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rjsparks rjsparks rjsparks left review comments

+3 more reviewers

@martinthomson martinthomson martinthomson left review comments

@larseggert larseggert larseggert left review comments

@Jason-123-cyber Jason-123-cyber Jason-123-cyber left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Replace datatracker's use of bleach

5 participants

@nouralmaa @rjsparks @martinthomson @larseggert @Jason-123-cyber