Change Log


Unreleased yet


  • Add support for the <wbr> element in the sanitizer, which indicates a line break opportunity. This element is allowed by default. (#395) (Thank you, Tom Most!)
  • Add support for serializing the <ol reversed> boolean attribute. (Thank you, Tom Most!) (#396)
  • The <ol reversed> and <ol start> attributes are now permitted by the sanitizer. (#321) (Thank you, Tom Most!)

Bug fixes:

  • The sanitizer now permits <summary> tags. It used to allow <details> already. (#423)


Released on June 23, 2020

Breaking changes:

  • Drop support for Python 3.3. (#358)
  • Drop support for Python 3.4. (#421)


  • Deprecate the html5lib sanitizer (html5lib.serialize(sanitize=True) and html5lib.filters.sanitizer). We recommend users migrate to Bleach <>. Please let us know if Bleach doesn’t suffice for your use. (#443)

Other changes:

  • Try to import from to remove DeprecationWarning and ensure html5lib keeps working in future Python versions. (#403)
  • Drop optional datrie dependency. (#442)


Released on December 7, 2017

Breaking changes:

  • Drop support for Python 2.6. (#330) (Thank you, Hugo, Will Kahn-Greene!)
  • Remove utils/ (#353) (Thank you, Jon Dufresne!)


  • Improve documentation. (#300, #307) (Thank you, Jon Dufresne, Tom Most, Will Kahn-Greene!)
  • Add iframe seamless boolean attribute. (Thank you, Ritwik Gupta!)
  • Add itemscope as a boolean attribute. (#194) (Thank you, Jonathan Vanasco!)
  • Support Python 3.6. (#333) (Thank you, Jon Dufresne!)
  • Add CI support for Windows using AppVeyor. (Thank you, John Vandenberg!)
  • Improve testing and CI and add code coverage (#323, #334), (Thank you, Jon Dufresne, John Vandenberg, Sam Sneddon, Will Kahn-Greene!)
  • Semver-compliant version number.

Bug fixes:

  • Add support for setuptools < 18.5 to support environment markers. (Thank you, John Vandenberg!)
  • Add explicit dependency for six >= 1.9. (Thank you, Eric Amorde!)
  • Fix regexes to work with Python 3.7 regex adjustments. (#318, #379) (Thank you, Benedikt Morbach, Ville Skyttä, Mark Vasilkov!)
  • Fix alphabeticalattributes filter namespace bug. (#324) (Thank you, Will Kahn-Greene!)
  • Include license file in generated wheel package. (#350) (Thank you, Jon Dufresne!)
  • Fix annotation-xml typo. (#339) (Thank you, Will Kahn-Greene!)
  • Allow uppercase hex chararcters in CSS colour check. (#377) (Thank you, Komal Dembla, Hugo!)


Released and unreleased on December 7, 2017. Badly packaged release.


Released on July 15, 2016

  • Fix attribute order going to the tree builder to be document order instead of reverse document order(!).


Released on July 14, 2016

  • Added ordereddict as a mandatory dependency on Python 2.6.
  • Added lxml, genshi, datrie, charade, and all extras that will do the right thing based on the specific interpreter implementation.
  • Now requires the mock package for the testsuite.
  • Cease supporting DATrie under PyPy.
  • Remove PullDOM support, as this hasn’t ever been properly tested, doesn’t entirely work, and as far as I can tell is completely unused by anyone.
  • Move testsuite to pytest.
  • Fix #124: move to webencodings for decoding the input byte stream; this makes html5lib compliant with the Encoding Standard, and introduces a required dependency on webencodings.
  • Cease supporting Python 3.2 (in both CPython and PyPy forms).
  • Fix comments containing double-dash with lxml 3.5 and above.
  • Use scripting disabled by default (as we don’t implement scripting).
  • Fix #11, avoiding the XSS bug potentially caused by serializer allowing attribute values to be escaped out of in old browser versions, changing the quote_attr_values option on serializer to take one of three values, “always” (the old True value), “legacy” (the new option, and the new default), and “spec” (the old False value, and the old default).
  • Fix #72 by rewriting the sanitizer to apply only to treewalkers (instead of the tokenizer); as such, this will require amending all callers of it to use it via the treewalker API.
  • Drop support of charade, now that chardet is supported once more.
  • Replace the charset keyword argument on parse and related methods with a set of keyword arguments: override_encoding, transport_encoding, same_origin_parent_encoding, likely_encoding, and default_encoding.
  • Move filters._base, treebuilder._base, and treewalkers._base to .base to clarify their status as public.
  • Get rid of the sanitizer package. Merge sanitizer.sanitize into the sanitizer.htmlsanitizer module and move that to sanitizer. This means anyone who used sanitizer.sanitize or sanitizer.HTMLSanitizer needs no code changes.
  • Rename treewalkers.lxmletree to .etree_lxml and treewalkers.genshistream to .genshi to have a consistent API.
  • Move a whole load of stuff (inputstream, ihatexml, trie, tokenizer, utils) to be underscore prefixed to clarify their status as private.


Released on September 10, 2015

  • Fix #195: fix the sanitizer to drop broken URLs (it threw an exception between 0.9999 and 0.999999).


Released on July 7, 2015

  • Fix #189: fix the sanitizer to allow relative URLs again (as it did prior to 0.9999/1.0b5).


Released on April 30, 2015

  • Fix #188: fix the sanitizer to not throw an exception when sanitizing bogus data URLs.


Released on April 29, 2015

  • Fix #153: Sanitizer fails to treat some attributes as URLs. Despite how this sounds, this has no known security implications. No known version of IE (5.5 to current), Firefox (3 to current), Safari (6 to current), Chrome (1 to current), or Opera (12 to current) will run any script provided in these attributes.
  • Pass error message to the ParseError exception in strict parsing mode.
  • Allow data URIs in the sanitizer, with a whitelist of content-types.
  • Add support for Python implementations that don’t support lone surrogates (read: Jython). Fixes #2.
  • Remove localization of error messages. This functionality was totally unused (and untested that everything was localizable), so we may as well follow numerous browsers in not supporting translating technical strings.
  • Expose treewalkers.pprint as a public API.
  • Add a documentEncoding property to HTML5Parser, fix #121.


Released on December 23, 2013

  • Fix #127: add work-around for CPython issue #20007: .read(0) on http.client.HTTPResponse drops the rest of the content.
  • Fix #115: lxml treewalker can now deal with fragments containing, at their root level, text nodes with non-ASCII characters on Python 2.


Released on September 10, 2013

  • No library changes from 1.0b3; released as 0.99 as pip has changed behaviour from 1.4 to avoid installing pre-release versions per PEP 440.


Released on July 24, 2013

  • Removed RecursiveTreeWalker from treewalkers._base. Any implementation using it should be moved to NonRecursiveTreeWalker, as everything bundled with html5lib has for years.
  • Fix #67 so that BufferedStream to correctly returns a bytes object, thereby fixing any case where html5lib is passed a non-seekable RawIOBase-like object.


Released on June 27, 2013

  • Removed reordering of attributes within the serializer. There is now an alphabetical_attributes option which preserves the previous behaviour through a new filter. This allows attribute order to be preserved through html5lib if the tree builder preserves order.
  • Removed dom2sax from DOM treebuilders. It has been replaced by treeadapters.sax.to_sax which is generic and supports any treewalker; it also resolves all known bugs with dom2sax.
  • Fix treewalker assertions on hitting bytes strings on Python 2. Previous to 1.0b1, treewalkers coped with mixed bytes/unicode data on Python 2; this reintroduces this prior behaviour on Python 2. Behaviour is unchanged on Python 3.


Released on May 17, 2013

  • Implementation updated to implement the HTML specification as of 5th May 2013 (SVN revision r7867).
  • Python 3.2+ supported in a single codebase using the six library.
  • Removed support for Python 2.5 and older.
  • Removed the deprecated Beautiful Soup 3 treebuilder. beautifulsoup4 can use html5lib as a parser instead. Note that since it doesn’t support namespaces, foreign content like SVG and MathML is parsed incorrectly.
  • Removed simpletree from the package. The default tree builder is now etree (using the xml.etree.cElementTree implementation if available, and xml.etree.ElementTree otherwise).
  • Removed the XHTMLSerializer as it never actually guaranteed its output was well-formed XML, and hence provided little of use.
  • Removed default DOM treebuilder, so html5lib.treebuilders.dom is no longer supported. html5lib.treebuilders.getTreeBuilder("dom") will return the default DOM treebuilder, which uses xml.dom.minidom.
  • Optional heuristic character encoding detection now based on charade for Python 2.6 - 3.3 compatibility.
  • Optional Genshi treewalker support fixed.
  • Many bugfixes, including:
    • #33: null in attribute value breaks XML AttValue;
    • #4: nested, indirect descendant, <button> causes infinite loop;
    • Google Code 215: Properly detect seekable streams;
    • Google Code 206: add support for <video preload=…>, <audio preload=…>;
    • Google Code 205: add support for <video poster=…>;
    • Google Code 202: Unicode file breaks InputStream.
  • Source code is now mostly PEP 8 compliant.
  • Test harness has been improved and now depends on nose.
  • Documentation updated and moved to


Released on February 11, 2012


Released on January 17, 2010


Released on June 12, 2008


Released on June 10, 2008


Released on October 7, 2007


Released on March 11, 2007


Released on January 8, 2007