Consider replacing lxml_html_clean with nh3

[iaindillingham]

Currently, we use both lxml_html_clean and nh3 for cleaning HTML. Assuming that both packages perform similar functions, using them means we have an unnecessary dependency.

I'd suggest replacing lxml_html_clean with nh3, rather than the other way around, because:

Note: the HTML Cleaner in lxml_html_clean is not considered appropriate for security sensitive environments. See e.g. bleach for an alternative.

However, bleach is deprecated, which is why we added nh3 in the first place.

Usage

We use lxml_html_clean to prepare OS Interactive reports for display on OS Reports:

job-server/jobserver/reports.py

Lines 13 to 15 in 7de6a7d

	cleaned = Cleaner(page_structure=False, style=True, kill_tags=["head"]).clean_html(
	html
	)

We use nh3 to prepare a project's status description:

job-server/jobserver/views/projects.py

Line 38 in 7de6a7d

project.status_description = nh3.clean(markdown(project.status_description))

job-server/staff/views/projects.py

Lines 218 to 220 in 7de6a7d

	"status_description_html": nh3.clean(
	markdown(self.object.status_description)
	),

Related

• Bump lxml from 5.1.0 to 5.2.0 #4251
• Fixes for Markdown project status description field #4155