Bleach is an allowed-list-based HTML sanitizing library for escaping or stripping unsafe HTML markup and attributes from untrusted text. It can also safely “linkify” plain text into links and apply filters (including optional `rel` attributes) to better control generated URLs.
Project status
- Actively maintained (yes): The upstream repo shows a very recent push (2026-05-01), and the most recent tagged updates include v6.3.0 on 2025-10-27, indicating ongoing maintenance rather than end-of-life.
- Update cadence (approx.): Recent updates appear roughly annual, with v6.2.0 on 2024-10-29 and v6.3.0 on 2025-10-27 (about 1 year), and similarly v6.1.0 on 2023-10-06 to v6.2.0 on 2024-10-29 (about 1 year).
AI summary generated 2 weeks ago
Recent updates
v6.3.0
7 months agoBleach 6.3.0 primarily drops Python 3.9 support, adds Python 3.14 compatibility, and fixes incorrect handling of `<wbr>` in the sanitizer and vendored html5lib. The rest of the release is mostly tooling and packaging maintenance, including updates to CI, docs, and development dependencies.
Breakingv6.2.0
10/29/2024Bleach 6.2.0 drops Python 3.8, adds Python 3.13 support, and removes the runtime `six` dependency by patching the vendored html5lib stack to use an internal shim. It also tightens tinycss2 compatibility and fixes several malformed HTML edge cases where truncated `<...` input could be parsed too aggressively.
Breakingv6.1.0
10/6/2023Bleach 6.1.0 is mostly a compatibility and bugfix release. It drops Python 3.7, adds Python 3.12 support, fixes several linkification and parser edge cases, and refreshes CI and docs tooling.
Breakingv6.0.0
1/23/2023Bleach 6.0.0 is a major API cleanup release that switches tag and protocol configuration to set semantics, renames the sanitizer filter's allowed-tags terminology, and reworks linkify to preserve character entities correctly. It also adds Python 3.11 support and modernizes the development and CI workflow around tox and separate requirements files.
BreakingFeaturesv5.0.1
6/27/2022v5.0.1 is a focused bugfix release for Bleach. It improves HTML and URL edge-case handling, including stray `<` text, RFC6068 email encoding, and scheme-less URL allowance when `https` is permitted, while also refreshing docs and development dependency pins.
v5.0.0
4/7/2022Bleach 5.0.0 is a major release that overhauls CSS sanitization, preserves HTML attribute order in `clean` and `linkify`, and drops Python 3.6 support. It also adds a new `CSSSanitizer` API, reworks dev dependency handling, and fixes block-level tag spacing.
BreakingFeaturesv4.1.0
8/25/2021v4.1.0 is a maintenance release that adds Python 3.9 support and fixes Bleach's sanitizer to avoid Python 3.9 URL parsing failures. Most of the remaining changes are CI, tooling, documentation, and vendoring updates, but the runtime URL parsing path now depends on a vendored copy of urllib.parse.
Featuresv4.0.0
8/3/2021Bleach 4.0.0 is a Python 3.6+ release that drops support for Python versions older than 3.6 and updates packaging, CI, and docs to match. The runtime changes are mostly Python 3 cleanup in the sanitizer, linkifier, and html5lib shim, with the most notable code-level removal being the old `force_unicode` helper.
BreakingFeaturesv3.3.1
7/14/2021v3.3.1 is a maintenance-focused release that bumps version metadata, tightens the release and vendoring workflow, updates selected tox environments to Python 3.8, and adds expanded regression coverage around the CVE-2021-23980 sanitization path. The tracked diff is dominated by documentation, packaging, and test updates, with no public API changes visible in the code shown.
Featuresv3.3.0
2/1/2021The provided input includes only release metadata for v3.3.0 (published 2021-02-01) and does not include any actual release notes content. As a result, I cannot reliably identify new features, breaking changes, bug fixes, security updates, or migration steps from the notes.