Technologyglobal✓ verified · 90%

Bleach: URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in output

Name: Bleach: URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in output
Start: 2026-06-16T14:06:29Z
Location: Global (internet)

When: 2026-06-16 14:06 UTC
Where: Global (internet)
Category: cyber_advisory · pip

### Impact A possible XSS bypass affects users calling `bleach.clean` with all of: * `a` in the allowed tags * `href` in allowed attributes The `bleach.clean` sanitizer outputs URIs containing disallowed scheme patterns that it should be stripping. However, because the inserted Unicode characters make the scheme invalid per RFC 3986, modern browsers do not execute these as javascript: URIs. The practical security impact is limited to: - Bleach's output contains URI values that violate the caller's protocol allowlist, breaking the sanitizer's contract. - If a downstream system performs its own Unicode normalization on bleach's output (stripping invisible characters before rendering), the javascript: scheme could become valid. This is a non-standard processing chain but represents a theoretical secondary risk. This is not a direct XSS vulnerability. Python code example from reporter with Bleach v6.3.0 and Python 3.13: ``` import bleach payload1 = '<a href="javascript\u200b:alert(document.cookie)">Click me</a>' result1 = bleach.clean(payload1) print(f"(ZWSP): {repr(result1)}") ``` Output: ``` (ZWSP): '<a href="javascript\u200b:alert(document.cookie)">Click me</a>' ``` ### Patches Users should upgrade to Bleach 6.4.0. ### Workarounds Pre-process content removing non-ASCII characters from URI schemes before sanitizing with `bleach.clean`. A strong[ Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) without unsafe-inline and unsafe-eval[ script-srcs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src) will also help mitigate the risk. ### References * https://bugzilla.mozilla.org/show_bug.cgi?id=2023812 * RFC 3986, Section 3.1 (URI Scheme syntax): scheme characters are restricted to ALPHA *( ALPHA / DIGIT / "+" / "-" / "." ) ### Reported by Reported by codeant from CodeAnt AI.

Sources

GitHub Advisory Database ↗ · first seen 2026-06-16 14:06 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

← Back to the live map