Update bleach to 6.0.0

[pyup-bot]

This PR updates bleach from 3.0.2 to 6.0.0.

Changelog

5.0.1

-------------------------------

**Bugs**

* Add missing comma to tinycss2 require. Thank you, shadchin!

* Add url parse tests based on wpt url tests. (688)

* Support scheme-less urls if "https" is in allow list. (662)

* Handle escaping ``<`` in edge cases where it doesn't start a tag. (544)

* Fix reference warnings in docs. (660)

* Correctly urlencode email address parts. Thank you, larseggert! (659)

5.0.0

-------------------------------

**Backwards incompatible changes**

* ``clean`` and ``linkify`` now preserve the order of HTML attributes. Thank
you, askoretskly! (566)

* Drop support for Python 3.6. Thank you, hugovk! (629)

* CSS sanitization in style tags is completely different now. If you're using
Bleach ``clean`` to sanitize css in style tags, you'll need to update your
code and you'll need to install the ``css`` extras::

   pip install 'bleach[css]'

See `the documentation on sanitizing CSS for how to do it
<https://bleach.readthedocs.io/en/latest/clean.html#sanitizing-css>`_. (633)

**Bug fixes**

* Rework dev dependencies. We no longer have
``requirements-dev.in``/``requirements-dev.txt``. Instead, we're using
``dev`` extras.

See `development docs <https://bleach.readthedocs.io/en/latest/dev.html>`_
for more details. (620)

* Add newline when dropping block-level tags. Thank you, jvanasco! (369)

4.1.0

---------------------------------

**Features**

* Python 3.9 support

**Bug fixes**

* Update sanitizer clean to use vendored 3.6.14 stdlib urllib.parse to
fix test failures on Python 3.9. (536)

4.0.0

--------------------------------

**Backwards incompatible changes**

* Drop support for unsupported Python versions <3.6. (520)

**Security fixes**

None

**Features**

* fix attribute name in the linkify docs (thanks CheesyFeet!)

3.3.1

-------------------------------

**Security fixes**

None

**Features**

* add more tests for CVE-2021-23980 / GHSA-vv2x-vrpj-qqpq
* bump python version to 3.8 for tox doc, vendorverify, and lint targets
* update bug report template tag
* update vendorverify script to detect and fail when extra files are vendored
* update release process docs to check vendorverify passes locally

**Bug fixes**

* remove extra vendored django present in the v3.3.0 whl (595)
* duplicate h1 header doc fix (thanks Nguyễn Gia Phong / McSinyx!)

3.3.0

----------------------------------

**Backwards incompatible changes**

* clean escapes HTML comments even when strip_comments=False

**Security fixes**

* Fix bug 1621692 / GHSA-m6xf-fq7q-8743. See the advisory for details.

**Features**

None

**Bug fixes**

None

3.2.3

----------------------------------

**Security fixes**

None

**Features**

None

**Bug fixes**

* fix clean and linkify raising ValueErrors for certain inputs. Thank you Google-Autofuzz.

3.2.2

----------------------------------

**Security fixes**

None

**Features**

* Migrate CI to Github Actions. Thank you hugovk.

**Bug fixes**

* fix linkify raising an IndexError on certain inputs. Thank you Google-Autofuzz.

3.2.1

------------------------------------

**Security fixes**

None

**Features**

None

**Bug fixes**

* change linkifier to add rel="nofollow" as documented. Thank you mitar.
* suppress html5lib sanitizer DeprecationWarnings (557)

3.2.0

------------------------------------

**Security fixes**

None

**Features**

None

**Bug fixes**

* ``html5lib`` dependency to version 1.1.0. Thank you Sam Sneddon.
* update tests_website terminology. Thank you Thomas Grainger.

3.1.5

--------------------------------

**Security fixes**

None

**Features**

None

**Bug fixes**

* replace missing ``setuptools`` dependency with ``packaging``. Thank you Benjamin Peterson.

3.1.4

--------------------------------

**Security fixes**

* ``bleach.clean`` behavior parsing style attributes could result in a
regular expression denial of service (ReDoS).

Calls to ``bleach.clean`` with an allowed tag with an allowed
``style`` attribute were vulnerable to ReDoS. For example,
``bleach.clean(..., attributes={'a': ['style']})``.

This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1,
v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar
regular expression and should be considered vulnerable too.

Anyone using Bleach <=v3.1.3 is encouraged to upgrade.

https://bugzilla.mozilla.org/show_bug.cgi?id=1623633

**Backwards incompatible changes**

* Style attributes with dashes, or single or double quoted values are
cleaned instead of passed through.

**Features**

None

**Bug fixes**

None

3.1.3

--------------------------------

**Security fixes**

None

**Backwards incompatible changes**

* Drop support for Python 3.4. Thank you, hugovk!

* Drop deprecated ``setup.py test`` support. Thank you, jdufresne! (507)

**Features**

* Add support for Python 3.8. Thank you, jdufresne!

* Add support for PyPy 7. Thank you, hugovk!

* Add pypy3 testing to tox and travis. Thank you, jdufresne!

**Bug fixes**

* Add relative link to code of conduct. (442)

* Fix typo: curren -> current in tests/test_clean.py Thank you, timgates42! (504)

* Fix handling of non-ascii style attributes. Thank you, sekineh! (426)

* Simplify tox configuration. Thank you, jdufresne!

* Make documentation reproducible. Thank you, lamby!

* Fix typos in code comments. Thank you, zborboa-g!

* Fix exception value testing. Thank you, mastizada!

* Fix parser-tags NoneType exception. Thank you, bope!

* Improve TLD support in linkify. Thank you, pc-coholic!

3.1.2

--------------------------------

**Security fixes**

* ``bleach.clean`` behavior parsing embedded MathML and SVG content
with RCDATA tags did not match browser behavior and could result in
a mutation XSS.

Calls to ``bleach.clean`` with ``strip=False`` and ``math`` or
``svg`` tags and one or more of the RCDATA tags ``script``,
``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or
``xmp`` in the allowed tags whitelist were vulnerable to a mutation
XSS.

This security issue was confirmed in Bleach version v3.1.1. Earlier
versions are likely affected too.

Anyone using Bleach <=v3.1.1 is encouraged to upgrade.

https://bugzilla.mozilla.org/show_bug.cgi?id=1621692

**Backwards incompatible changes**

None

**Features**

None

**Bug fixes**

None

3.1.1

-----------------------------------

**Security fixes**

* ``bleach.clean`` behavior parsing ``noscript`` tags did not match
browser behavior.

Calls to ``bleach.clean`` allowing ``noscript`` and one or more of
the raw text tags (``title``, ``textarea``, ``script``, ``style``,
``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable
to a mutation XSS.

This security issue was confirmed in Bleach versions v2.1.4, v3.0.2,
and v3.1.0. Earlier versions are probably affected too.

Anyone using Bleach <=v3.1.0 is highly encouraged to upgrade.

https://bugzilla.mozilla.org/show_bug.cgi?id=1615315

**Backwards incompatible changes**

None

**Features**

None

**Bug fixes**

None

3.1.0

---------------------------------

**Security fixes**

None

**Backwards incompatible changes**

None

**Features**

* Add ``recognized_tags`` argument to the linkify ``Linker`` class. This
fixes issues when linkifying on its own and having some tags get escaped.
It defaults to a list of HTML5 tags. Thank you, Chad Birch! (409)

**Bug fixes**

* Add ``six>=1.9`` to requirements. Thank you, Dave Shawley (416)

* Fix cases where attribute names could have invalid characters in them.
(419)

* Fix problems with ``LinkifyFilter`` not being able to match links
across ``&``. (422)

* Fix ``InputStreamWithMemory`` when the ``BleachHTMLParser`` is
parsing ``meta`` tags. (431)

* Fix doctests. (357)

Links

• PyPI: https://pypi.org/project/bleach
• Changelog: https://pyup.io/changelogs/bleach/
• Repo: https://github.com/mozilla/bleach
• Docs: https://pythonhosted.org/bleach/