py-bleach -- unsanitized character entities
bleach developer reports:
Attributes that have URI values weren't properly sanitized if the
values contained character entities. Using character entities, it
was possible to construct a URI value with a scheme that was not
allowed that would slide through unsanitized.
This security issue was introduced in Bleach 2.1. Anyone using
Bleach 2.1 is highly encouraged to upgrade.
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright