Sourced from bleach's changelog.
Version 6.4.0 (June 5th, 2026)
NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future releases including for security issues. See issue:
<https://github.com/mozilla/bleach/issues/698>__Backwards incompatible changes
- Dropped support for pypy 3.10. (#764)
Security fixes
Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.
Fix XSS issue with sanitize_uri_value where disallowed schemes with Unicode invisible characters wouldn't be rejected.
For example::
import bleach payload1 = 'Click' result1 = bleach.clean(payload1) print(repr(result1))
outputs::
'Click'
See the advisory for details.
Fix GHSA-gj48-438w-jh9v.
Fix issue where URI sanitization wasn't happening in formaction attributes.
See the advisory for details.
Bug fixes
f0355a7
fix: fix last release date in CHANGESae4e8a2
chore: bleach 6.4.0 and final release970df58
fix: uri-sanitization in formaction attributes7c4867c
fix: xss bypass in allowed protocol test using unicode invisible
characters913ab75
fix: reduce redundancy in workflow jobs218c15a
fix: rework pip caching4f0b097
fix: fix tox platform restrictionse95a79d
chore: update pytest91539d4
Bump actions/cache from 5.0.3 to 5.0.4cd47b4c
fix: handle left-angle-bracket that's not a tag (#733)