Replace Bleach with JustHTML

[chrstinalin]

Fixes mozilla/addons#15291

Description

Replaces the deprecated bleach library with JustHTML.

Notable behavioural changes:

1. Quotes on their own are not necessarily escaped. See: src/olympia/amo/tests/test_amo_utils.py, src/olympia/translations/tests/test_commands.py
2. Malformed tags are escaped rather than stripped. See: src/olympia/addons/tests/test_models.py

Testing

1. Follow the testing section of Support Markdown in Add-on Listing Fields #22956 to ensure no regressions around Markdown have occurred.

Checklist

• Add #ISSUENUM at the top of your PR to an existing open issue in the mozilla/addons repository.
• Successfully verified the change locally.
• The change is covered by automated tests, or otherwise indicated why doing so is unnecessary/impossible.

[diox]

Quotes on their own are not necessarily escaped

That could have been dangerous, but I can't find any places where that's problematic. The pattern I was worried about would be XSS through attributes like " onmouseover="alert(5) when inserted into something like title="{{ clean_me(dangerous) }}" but the code where this behavior has changed is linkify_* and escape_all, and those are meant to return HTMLified content anyway, so we wouldn't use that inside an attribute value.

Malformed tags are escaped rather than stripped.

That was a weird behavior which I'm happy to see go away - stripping malformed tag we recognize instead of escaping them never made much sense...

[diox]

Looks good! Some comments to try to refactor a bit to make it simpler if possible.

[diox]

Do we care? That seems to add complexity that's going to be annoying later. Is the difference only newlines in the final output ? Can you point to a test that was failing without that bit ?

[chrstinalin]

These are the tests that were failing:

src/olympia/addons/tests/test_models.py::TestAddonModels::test_blockquote_markdown
src/olympia/addons/tests/test_models.py::TestAddonModels::test_bold_markdown
src/olympia/addons/tests/test_models.py::TestAddonModels::test_code_markdown
src/olympia/addons/tests/test_models.py::TestAddonModels::test_italics_markdown
src/olympia/addons/tests/test_indexers.py::TestAddonIndexer::test_extract_version_and_files
src/olympia/addons/tests/test_models.py::TestAddonModels::test_nested_newline
src/olympia/addons/tests/test_models.py::TestAddonModels::test_newlines
src/olympia/addons/tests/test_models.py::TestAddonModels::test_newlines_xss_script

I don't like it being there, but I was concerned specifically by src/olympia/addons/tests/test_models.py::TestAddonModels::test_newlines, since justHTML will interpret them into single newlines on the second clean. Without this line:

[chrstinalin]

Looking again, I misinterpreted here. It's because <p> is not in the allowed tags and is stripped; so a possible way to avoid this is adding p to the allowed_tags and updating the tests:

<p>Paragraph one.\nThis should be on the very next line.</p>\n<p>Should be two nl's before this line.</p>\n<p>Should be two nl's before this line.</p>\n<p>Should be two nl's before this line.</p>

Which I believe should be visually identical?

This would involve updating alot more tests than the ones above, though.

[diox]

I wouldn't mind allowing the <p>, I think atm add-on descriptions are the only place where we use this, and they are inside a <div> to it would probably be fine to allow <p>. Could you test locally with description from several popular add-ons like https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/ which are using newlines ?

[chrstinalin]

There does seem to be issues with <p> rather than newlines. Just copy/pasting, with newlines:

and without (allowing/using <p>):

Which seems to notably affect block-level elements. It seems like going down this route would still introduce a workaround somewhere along the line, so getting it right at the root as it currently does does seem like the simplest solution.