All versions of
bleach are vulnerable to Cross-Site Scripting. It is possible to bypass the package's HTML sanitization with payloads such as
No fix is currently available. Consider using an alternative package until a fix is made available.