GHSA-8rfp-98v4-mmr6

### Impact

A possible XSS bypass affects users calling `bleach.clean` with all of:

* `a` in the allowed tags * `href` in allowed attributes

The `bleach.clean` sanitizer outputs URIs containing disallowed scheme patterns that it should be stripping. However, because the inserted Unicode characters make the scheme invalid per RFC 3986, modern browsers do not execute these as javascript: URIs. The practical security impact is limited to:

- Bleach's output contains URI values that violate the caller's protocol allowlist, breaking the sanitizer's contract. - If a downstream system performs its own Unicode normalization on bleach's output (stripping invisible characters before rendering), the javascript: scheme could become valid. This is a non-standard processing chain but represents a theoretical secondary risk.

This is not a direct XSS vulnerability.

Python code example from reporter with Bleach v6.3.0 and Python 3.13:

``` import bleach payload1 = '<a href="javascript\u200b:alert(document.cookie)">Click me</a>' result1 = bleach.clean(payload1) print(f"(ZWSP): {repr(result1)}") ```

Output:

``` (ZWSP): '<a href="javascript\u200b:alert(document.cookie)">Click me</a>' ```

### Patches

Users should upgrade to Bleach 6.4.0.

### Workarounds

Pre-process content removing non-ASCII characters from URI schemes before sanitizing with `bleach.clean`.

A strong[ Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) without unsafe-inline and unsafe-eval[ script-srcs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src) will also help mitigate the risk.

### References

* https://bugzilla.mozilla.org/show_bug.cgi?id=2023812 * RFC 3986, Section 3.1 (URI Scheme syntax): scheme characters are restricted to ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )

### Reported by

Reported by codeant from CodeAnt AI.