Sourced from bleach's changelog.
Version 6.4.0 (June 5th, 2026)
NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future releases including for security issues. See issue:
<https://github.com/mozilla/bleach/issues/698>__Backwards incompatible changes
- Dropped support for pypy 3.10. (#764)
Security fixes
Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.
Fix XSS issue with sanitize_uri_value where disallowed schemes with Unicode invisible characters wouldn't be rejected.
For example::
import bleach payload1 = 'Click' result1 = bleach.clean(payload1) print(repr(result1))
outputs::
'Click'
See the advisory for details.
Fix GHSA-gj48-438w-jh9v.
Fix issue where URI sanitization wasn't happening in formaction attributes.
See the advisory for details.
Bug fixes
Add support for pypy 3.11. (#764)
Drop version max in tinycss2 pin. (#772)
This removes one of the things we had to keep checking and updating. Users now own the responsibility for correctness with the version of tinycss2 they're using.
Version 6.3.0 (October 27th, 2025)
... (truncated)
f0355a7
fix: fix last release date in CHANGESae4e8a2
chore: bleach 6.4.0 and final release970df58
fix: uri-sanitization in formaction attributes7c4867c
fix: xss bypass in allowed protocol test using unicode invisible
characters913ab75
fix: reduce redundancy in workflow jobs218c15a
fix: rework pip caching4f0b097
fix: fix tox platform restrictionse95a79d
chore: update pytest91539d4
Bump actions/cache from 5.0.3 to 5.0.4cd47b4c
fix: handle left-angle-bracket that's not a tag (#733)