GHSA-8rfp-98v4-mmr6LowDisclosed before NVD

Bleach: URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in output

Published
June 16, 2026
Last Modified
June 16, 2026

📋 Description

Impact

A possible XSS bypass affects users calling bleach.clean with all of:

  • a in the allowed tags
  • href in allowed attributes

The bleach.clean sanitizer outputs URIs containing disallowed scheme patterns that it should be stripping. However, because the inserted Unicode characters make the scheme invalid per RFC 3986, modern browsers do not execute these as javascript: URIs. The practical security impact is limited to:

  • Bleach's output contains URI values that violate the caller's protocol allowlist, breaking the sanitizer's contract.
  • If a downstream system performs its own Unicode normalization on bleach's output (stripping invisible characters before rendering), the javascript: scheme could become valid. This is a non-standard processing chain but represents a theoretical secondary risk.

This is not a direct XSS vulnerability.

Python code example from reporter with Bleach v6.3.0 and Python 3.13:

import bleach
payload1 = '<a href="javascript\u200b:alert(document.cookie)">Click me</a>'
result1 = bleach.clean(payload1)
print(f"(ZWSP): {repr(result1)}")

Output:

(ZWSP): '<a href="javascript\u200b:alert(document.cookie)">Click me</a>'

Patches

Users should upgrade to Bleach 6.4.0.

Workarounds

Pre-process content removing non-ASCII characters from URI schemes before sanitizing with bleach.clean.

A strong Content-Security-Policy without unsafe-inline and unsafe-eval script-srcs will also help mitigate the risk.

References

  • https://bugzilla.mozilla.org/show_bug.cgi?id=2023812
  • RFC 3986, Section 3.1 (URI Scheme syntax): scheme characters are restricted to ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )

Reported by

Reported by codeant from CodeAnt AI.

🎯 Affected products1

  • pip/bleach:<= 6.3.0

🔗 References (3)