@@ -357,11 +357,12 @@ These configuration keys are used globally across all features.
357357
358358 .. danger ::
359359 Make sure your mapper methods guard against malicious user input. For example,
360- if you allow ``username `` as an identity method you could use `bleach `_::
360+ if you allow ``username `` as an identity method you could use `nh3 `_::
361361
362362 def uia_username_mapper(identity):
363- # we allow pretty much anything - but we bleach it.
364- return bleach.clean(identity, strip=True)
363+ # we allow pretty much anything - but we sanitize it.
364+ # tags=set() strips all HTML tags rather than allowing nh3's defaults.
365+ return nh3.clean(identity, tags=set())
365366
366367 Default::
367368
@@ -383,7 +384,7 @@ These configuration keys are used globally across all features.
383384 .. versionchanged :: 4.0.0
384385 Changed from list to list of dict.
385386
386- .. _ bleach : https://pypi.org/project/bleach /
387+ .. _ nh3 : https://pypi.org/project/nh3 /
387388
388389.. py :data :: SECURITY_USER_IDENTITY_MAPPINGS
389390
@@ -987,8 +988,8 @@ Registerable
987988
988989 Validation and normalization is encapsulated in :class: `.UsernameUtil `.
989990 Note that the default validation restricts username input to be unicode
990- letters and numbers. It also uses ``bleach `` to scrub any risky input. Be
991- sure your application requirements includes `bleach `_.
991+ letters and numbers. It also uses ``nh3 `` to scrub any risky input. Be
992+ sure your application requirements includes `nh3 `_.
992993
993994 Default: ``False ``
994995
0 commit comments