* The HTML ``Cleaner()`` interpreted an accidentally provided string parameter for the ``host_whitelist`` as list of characters and silently failed to reject any hosts. Passing a non-collection is now rejected.
4.9.3
==================
Bugs fixed ----------
* A memory leak in ``lxml.html.clean`` was resolved by switching to Cython 0.29.34+.
* URL checking in the HTML cleaner was improved. Patch by Tim McCormack.
4.6.5
==================
Bugs fixed ----------
* A vulnerability (GHSL-2021-1038) in the HTML cleaner allowed sneaking script content through SVG images (CVE-2021-43818).
* A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed sneaking script content through CSS imports and other crafted constructs (CVE-2021-43818).
4.6.3
==================
Bugs fixed ----------
* A vulnerability (CVE-2021-28957) was discovered in the HTML Cleaner by Kevin Chung, which allowed JavaScript to pass through. The cleaner now removes the HTML5 ``formaction`` attribute.
4.6.2
==================
Bugs fixed ----------
* A vulnerability (CVE-2020-27783) was discovered in the HTML Cleaner by Yaniv Nizry, which allowed JavaScript to pass through. The cleaner now removes more sneaky "style" content.
4.6.1
==================
Bugs fixed ----------
* A vulnerability was discovered in the HTML Cleaner by Yaniv Nizry, which allowed JavaScript to pass through. The cleaner now removes more sneaky "style" content.