Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-lxml_html_clean for
openSUSE:Factory checked in at 2026-07-06 12:31:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-lxml_html_clean (Old)
and /work/SRC/openSUSE:Factory/.python-lxml_html_clean.new.1982 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-lxml_html_clean"
Mon Jul 6 12:31:36 2026 rev:6 rq:1363833 version:0.4.5
Changes:
--------
---
/work/SRC/openSUSE:Factory/python-lxml_html_clean/python-lxml_html_clean.changes
2026-03-10 18:58:40.485846414 +0100
+++
/work/SRC/openSUSE:Factory/.python-lxml_html_clean.new.1982/python-lxml_html_clean.changes
2026-07-06 12:34:10.543235010 +0200
@@ -1,0 +2,11 @@
+Sun Jul 5 09:49:18 UTC 2026 - Dirk Müller <[email protected]>
+
+- update to 0.4.5 (bsc#1270285, CVE-2026-49825):
+ * Fixed a security vulnerability where javascript: URLs in
+ xlink:href attributes were not sanitized
+ when``safe_attrs_only=False``, allowing cross-site scripting
+ (XSS) attacks. The fix requires lxml>=6.1.1, which adds
+ xlink:href to the set of link attributes iterated by
+ rewrite_links(). Reported by Guillem Lefait (@glefait).
+
+-------------------------------------------------------------------
Old:
----
lxml_html_clean-0.4.4.tar.gz
New:
----
lxml_html_clean-0.4.5.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-lxml_html_clean.spec ++++++
--- /var/tmp/diff_new_pack.TfqiCT/_old 2026-07-06 12:34:11.335262528 +0200
+++ /var/tmp/diff_new_pack.TfqiCT/_new 2026-07-06 12:34:11.343262806 +0200
@@ -18,7 +18,7 @@
%{?sle15_python_module_pythons}
Name: python-lxml_html_clean
-Version: 0.4.4
+Version: 0.4.5
Release: 0
Summary: HTML cleaner from lxml project
License: BSD-3-Clause
++++++ lxml_html_clean-0.4.4.tar.gz -> lxml_html_clean-0.4.5.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lxml_html_clean-0.4.4/CHANGES.rst
new/lxml_html_clean-0.4.5/CHANGES.rst
--- old/lxml_html_clean-0.4.4/CHANGES.rst 2026-02-27 10:32:54.000000000
+0100
+++ new/lxml_html_clean-0.4.5/CHANGES.rst 2026-05-20 12:17:11.000000000
+0200
@@ -3,8 +3,17 @@
=========================
-Unreleased
-==========
+0.4.5 (2026-05-20)
+==================
+
+Bugs fixed
+----------
+
+* Fixed a security vulnerability where ``javascript:`` URLs in ``xlink:href``
+ attributes were not sanitized when``safe_attrs_only=False``, allowing
+ cross-site scripting (XSS) attacks. The fix requires ``lxml>=6.1.1``,
+ which adds ``xlink:href`` to the set of link attributes iterated by
+ ``rewrite_links()``. Reported by Guillem Lefait (@glefait).
0.4.4 (2026-02-26)
==================
@@ -14,12 +23,12 @@
* Fixed a bug where Unicode escapes in CSS were not properly decoded
before security checks. This prevents attackers from bypassing filters
- using escape sequences.
+ using escape sequences. (CVE-2026-28348)
* Fixed a security issue where ``<base>`` tags could be used for URL
hijacking attacks. The ``<base>`` tag is now automatically removed
whenever the ``<head>`` tag is removed (via ``page_structure=True``
or manual configuration), as ``<base>`` must be inside ``<head>``
- according to HTML specifications.
+ according to HTML specifications. (CVE-2026-28350)
0.4.3 (2025-10-02)
==================
@@ -58,7 +67,7 @@
within CSS comments. In certain contexts, such as within ``<svg>`` or
``<math>`` tags,
``<style>`` tags may lose their intended function, allowing comments
like ``/* foo */`` to potentially be executed by the browser.
- If a suspicious content is detected, only the comment is removed.
+ If a suspicious content is detected, only the comment is removed.
(CVE-2024-52595)
0.3.1 (2024-10-09)
==================
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lxml_html_clean-0.4.4/PKG-INFO
new/lxml_html_clean-0.4.5/PKG-INFO
--- old/lxml_html_clean-0.4.4/PKG-INFO 2026-02-27 10:33:33.721878000 +0100
+++ new/lxml_html_clean-0.4.5/PKG-INFO 2026-05-20 12:17:34.396014500 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: lxml_html_clean
-Version: 0.4.4
+Version: 0.4.5
Summary: HTML cleaner from lxml project
Home-page: https://github.com/fedora-python/lxml_html_clean/
Author: Lumír Balhar
@@ -17,7 +17,7 @@
Classifier: Programming Language :: Python :: 3.14
Description-Content-Type: text/markdown
License-File: LICENSE.txt
-Requires-Dist: lxml
+Requires-Dist: lxml>=6.1.1
Dynamic: license-file
# lxml_html_clean
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lxml_html_clean-0.4.4/lxml_html_clean.egg-info/PKG-INFO
new/lxml_html_clean-0.4.5/lxml_html_clean.egg-info/PKG-INFO
--- old/lxml_html_clean-0.4.4/lxml_html_clean.egg-info/PKG-INFO 2026-02-27
10:33:33.000000000 +0100
+++ new/lxml_html_clean-0.4.5/lxml_html_clean.egg-info/PKG-INFO 2026-05-20
12:17:34.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: lxml_html_clean
-Version: 0.4.4
+Version: 0.4.5
Summary: HTML cleaner from lxml project
Home-page: https://github.com/fedora-python/lxml_html_clean/
Author: Lumír Balhar
@@ -17,7 +17,7 @@
Classifier: Programming Language :: Python :: 3.14
Description-Content-Type: text/markdown
License-File: LICENSE.txt
-Requires-Dist: lxml
+Requires-Dist: lxml>=6.1.1
Dynamic: license-file
# lxml_html_clean
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lxml_html_clean-0.4.4/lxml_html_clean.egg-info/requires.txt
new/lxml_html_clean-0.4.5/lxml_html_clean.egg-info/requires.txt
--- old/lxml_html_clean-0.4.4/lxml_html_clean.egg-info/requires.txt
2026-02-27 10:33:33.000000000 +0100
+++ new/lxml_html_clean-0.4.5/lxml_html_clean.egg-info/requires.txt
2026-05-20 12:17:34.000000000 +0200
@@ -1 +1 @@
-lxml
+lxml>=6.1.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lxml_html_clean-0.4.4/setup.cfg
new/lxml_html_clean-0.4.5/setup.cfg
--- old/lxml_html_clean-0.4.4/setup.cfg 2026-02-27 10:33:33.722296500 +0100
+++ new/lxml_html_clean-0.4.5/setup.cfg 2026-05-20 12:17:34.396445800 +0200
@@ -1,6 +1,6 @@
[metadata]
name = lxml_html_clean
-version = 0.4.4
+version = 0.4.5
description = HTML cleaner from lxml project
long_description = file:README.md
long_description_content_type = text/markdown
@@ -25,7 +25,7 @@
packages =
lxml_html_clean
install_requires =
- lxml
+ lxml>=6.1.1
[egg_info]
tag_build =
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lxml_html_clean-0.4.4/tests/test_clean_embed.txt
new/lxml_html_clean-0.4.5/tests/test_clean_embed.txt
--- old/lxml_html_clean-0.4.4/tests/test_clean_embed.txt 2025-10-02
22:37:00.000000000 +0200
+++ new/lxml_html_clean-0.4.5/tests/test_clean_embed.txt 2026-05-12
08:38:06.000000000 +0200
@@ -13,15 +13,15 @@
... return s
>>> doc_embed = '''<div>
-... <embed src="http://www.youtube.com/v/183tVH1CZpA"
type="application/x-shockwave-flash"></embed>
-... <embed src="http://anothersite.com/v/another"></embed>
+... <embed src="http://www.youtube.com/v/183tVH1CZpA"
type="application/x-shockwave-flash">
+... <embed src="http://anothersite.com/v/another">
... <script src="http://www.youtube.com/example.js"></script>
... <script src="/something-else.js"></script>
... </div>'''
>>> print(tostring(fromstring(doc_embed)))
<div>
-<embed src="http://www.youtube.com/v/183tVH1CZpA"
type="application/x-shockwave-flash"></embed>
-<embed src="http://anothersite.com/v/another"></embed>
+<embed src="http://www.youtube.com/v/183tVH1CZpA"
type="application/x-shockwave-flash">
+<embed src="http://anothersite.com/v/another">
<script src="http://www.youtube.com/example.js"></script>
<script src="/something-else.js"></script>
</div>
@@ -30,10 +30,10 @@
</div>
>>> print(Cleaner(host_whitelist=['www.youtube.com']).clean_html(doc_embed))
<div>
-<embed src="http://www.youtube.com/v/183tVH1CZpA"
type="application/x-shockwave-flash"></embed>
+<embed src="http://www.youtube.com/v/183tVH1CZpA"
type="application/x-shockwave-flash">
</div>
>>> print(Cleaner(host_whitelist=['www.youtube.com'],
>>> whitelist_tags=None).clean_html(doc_embed))
<div>
-<embed src="http://www.youtube.com/v/183tVH1CZpA"
type="application/x-shockwave-flash"></embed>
+<embed src="http://www.youtube.com/v/183tVH1CZpA"
type="application/x-shockwave-flash">
<script src="http://www.youtube.com/example.js"></script>
</div>