Hi, On Thu, Feb 27, 2020 at 01:18:55PM +0100, Salvatore Bonaccorso wrote: > I think though we mgiht need to revisit the assessment that older > versions are not affected. Look at the this quick and dirty test > deduced from the testsuite:
So I think versions before are as well vulnerable but a fix will become not so easy. First back in b07814e0753c ("Extract all html5lib things into a shim module") in v3.0.0 did split some code from bleach.sanitizer to bleach.html5lib_shim, and before in 67afdf8ae7d3 ("Prevent HTMLTokenizer from unescaping entities") in v2.1 was quite refactored. Now I'm not entirely sure how we should fix that for stretch. Regards, Salvatore