GHSA-8rfp-98v4-mmr6: Bleach: URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in output

A possible XSS bypass affects users calling bleach.clean with all of:

• a in the allowed tags
• href in allowed attributes

The bleach.clean sanitizer outputs URIs containing disallowed scheme patterns that it should be stripping. However, because the inserted Unicode characters make the scheme invalid per RFC 3986, modern browsers do not execute these as javascript: URIs. The practical security impact is limited to:

• Bleach’s output contains URI values that violate the caller’s protocol allowlist, breaking the sanitizer’s contract.
• If a downstream system performs its own Unicode normalization on bleach’s output (stripping invisible characters before rendering), the javascript: scheme could become valid. This is a non-standard processing chain but represents a theoretical secondary risk.

This is not a direct XSS vulnerability.

Python code example from reporter with Bleach v6.3.0 and Python 3.13:

import bleach
payload1 = '<a href="javascript\u200b:alert(document.cookie)">Click me</a>'
result1 = bleach.clean(payload1)
print(f"(ZWSP): {repr(result1)}")

Output:

(ZWSP): '<a href="javascript\u200b:alert(document.cookie)">Click me</a>'