openSUSE-SU-2021:0552-1

This update for python-bleach fixes the following issues:

• CVE-2021-23980: Fixed mutation XSS on bleach.clean with specific combinations of allowed tags (boo#1184547)

Update to 3.1.5:

• replace missing setuptools dependency with packaging. Thank you Benjamin Peterson.

Update to 3.1.4 (boo#1168280, CVE-2020-6817):

• bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute were vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).
• Style attributes with dashes, or single or double quoted values are cleaned instead of passed through.

update to 3.1.3 (boo#1167379, CVE-2020-6816):

• Add relative link to code of conduct. (#442)
• Drop deprecated 'setup.py test' support. (#507)
• Fix typo: curren -> current in tests/test_clean.py (#504)
• Test on PyPy 7
• Drop test support for end of life Python 3.4
• bleach.clean behavior parsing embedded MathML and SVG content with RCDATA tags did not match browser behavior and could result in a mutation XSS. Calls to bleach.clean with strip=False and math or svg tags and one or more of the RCDATA tags script, noscript, style, noframes, iframe, noembed, or xmp in the allowed tags whitelist were vulnerable to a mutation XSS.