**NOTE: 2026-06-05: Bleach is no longer maintained. There will be no future
releases including for security issues.**
See issue: `<https://github.com/mozilla/bleach/issues/698>`__

**Backwards incompatible changes**

* Dropped support for pypy 3.10. (#764)

**Security fixes**

* Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.

  Fix XSS issue with sanitize_uri_value where disallowed schemes with
  Unicode invisible characters wouldn't be rejected.

  For example::

    import bleach
    payload1 = '<a href="javascript\u200b:alert(document.cookie)">Click</a>'
    result1 = bleach.clean(payload1)
    print(repr(result1))

  outputs::

    '<a href="javascript\u200b:alert(document.cookie)">Click</a>'

  See the advisory for details.

* Fix GHSA-gj48-438w-jh9v.

  Fix issue where URI sanitization wasn't happening in formaction attributes.

  See the advisory for details.

**Bug fixes**

* Add support for pypy 3.11. (#764)

* Drop version max in tinycss2 pin. (#772)

  This removes one of the things we had to keep checking and updating. Users
  now own the responsibility for correctness with the version of tinycss2
  they're using.