djangocms-text-ckeditor 3.6.0 has requirement html5lib<0.99999999

[AbdulWaheedPasha]

Divio Please Update the requirement of djangocms-text-ckeditor.
from HTML5lib <0.99999999 to html5lib 1.0.1
because I can't run other library.
xhtml2pdf can't run without HTML5lib 1.0.1

[rhunwicks]

Perhaps more importantly, this fails the checks using the Safety database:

html5lib                   │ 0.9999999 │ <0.99999999              │ 35693    │
╞══════════════════════════════════════════════════════════════════════════════╡
│ The serializer in html5lib before 0.99999999 might allow remote attackers to │
│  conduct cross-site scripting (XSS) attacks by leveraging mishandling of the │
│  < (less than) character in attribute values.                                │
╞══════════════════════════════════════════════════════════════════════════════╡
│ html5lib                   │ 0.9999999 │ <0.99999999              │ 35694    │
╞══════════════════════════════════════════════════════════════════════════════╡
│ The serializer in html5lib before 0.99999999 might allow remote attackers to │
│  conduct cross-site scripting (XSS) attacks by leveraging mishandling of spe │
│ cial characters in attribute values, a different vulnerability than CVE-2016 │
│ -9909.                                                                       │
╞══════════════════════════════════════════════════════════════════════════════╡
│ html5lib                   │ 0.9999999 │ <0.99999999              │ 25846    │
╞══════════════════════════════════════════════════════════════════════════════╡
│ html5lib before 0.99999999 is vulnerable to a XSS attack. Upgrading avoids t │
│ he XSS bug potentially caused by serializer allowing attribute values to be  │
│ escaped out of in old browser versions, changing the quote_attr_values optio │
│ n on serializer to take one of three values, "always" (the old True value),  │
│ "legacy" (the new option,  and the new default), and "spec" (the old False v │

[rhunwicks]

See https://pypi.org/project/safety/

[rhunwicks]

Note that this is already fixed in trunk - see #403 and #464, etc.

I.e. even though it would be good get a new Pypi release you can fix it now by installing from github, e.g. in your requirements file:

git+https://github.com/divio/djangocms-text-ckeditor.git@b2c9bd9dbe9c3bdf0464953845e8933b05ae125b#egg

[rhunwicks]

Personally, I think that this is a duplicate of #403 and can be closed.

[bplociennik]

The newest version use html5lib>=0.999999999