thunderbird

What is it?

Bleach is a Python library for sanitizing and linkifying text from untrusted sources for safe usage in HTML.

Bleach v6.4.0 released!

Bleach 6.4.0 includes two security fixes, a fix to tinycss2 dependency requirements, and some other things.

See the changes here:

https://bleach.readthedocs.io/en/latest/changes.html#version-6-4-0-june-5th-2026

Bleach v6.4.0 is the final release

I haven't used Bleach on a project in years, but I still had some time to maintain it. That changed about a year ago when I got re-orged into a new role and I haven't had time to do any Bleach work since then.

To recap, Bleach sits on top of html5lib which hasn't been actively maintained in years. It is dangerous to maintain Bleach in that context.

We vendored html5lib so we could make adjustments to the library to keep Bleach going. This is not a sustainable approach, but it was ok for the short term.

Over the years, we've talked about other options:

find another library to switch to
take over html5lib development
fork html5lib and vendor and maintain our fork
write a new HTML parser
etc

None of those are feasible for me.

Bleach has been a solo-maintained project for a while now. The world is crazy and it's much harder to build a team of trusted maintainers now than it was (or at least, it sure feels that way). I don't see any possibility of increasing the maintenance team or passing it to someone else responsibly.

Switching contexts from my regular work to Bleach is really hard. Bleach is complicated, the problem domain is complicated, and there's a lot of nuanced context. I can't just switch gears, spend 15 minutes on Bleach to do something, and then switch back to the rest of my day. I periodically get nag messages about this which are entirely valid, but there's nothing I can do about it. It doesn't feel great.

Then in 2025, Emil, a long-time Bleach contributor, built justhtml which gives us an easy migration path off of Bleach. He even took the time to write a migration guide.

Thoughts and statistics

In 2019, when I stepped down the first time, I wrote a post on stepping down.

In 2023, when I deprecated the project, I wrote a post on Bleach 6.0.0 and deprecation.

From the first commit on 2010-02-18 to today's final commit on 2026-06-05, the Bleach project lasted 16 years, 3 months - 5,951 days, or about 16.29 years.
There were 64 releases.
There were roughly 960 commits.
- From 80 roughly contributors
- Top 3:
  - Will Kahn-Greene: 462
  - James Socol: 182
  - Greg Guthe: 133
Roughly 5,040 lines of Python code excluding the vendored html5lib.
I was maintainer from October 2015 to now--that's a little under 11 years.

It feels weird to end a project that's outlived many of the Mozilla sites and Python web frameworks it was designed to protect.

What happens now?

This is the end of the project.

/images/bleach_deprecation.thumbnail.jpg — Bleach. Last release.

If you're still using Bleach, I think you have three options:

End your project. Maybe you don't need to be maintaining your thing anymore? Use Bleach as your reason to exit and do something different with your time on Earth.
Switch to the sanitizer API. Rework your project to use the sanitizer API.
- Spec: https://wicg.github.io/sanitizer-api/
- Docs: https://developer.mozilla.org/en-US/docs/Web/API/Element/setHTML
Swap Bleach out for justhtml. Emil provided a migration guide for switching from Bleach to justhtml.

Good luck with whatever option you choose!

Thanks!

Many thanks to James who created Bleach and gave it a set of first principles that guided our choices for 16 years.

Many thanks to Greg who I worked with on Bleach for a long while and maintained Bleach for several years. Working with Greg was always easy and his reviews were thoughtful and spot-on.

Many thanks to Emil who was a contributor to Bleach for a long while and created justhtml providing Bleach users a migration path.

Many thanks to Jonathan who, over the years, provided a lot of insight into how best to solve some of Bleach's more squirrely problems.

Many thanks to Sam who was an indispensible resource on HTML parsing and sanitizing text in the context of HTML.

Many thanks to all the users and contributors of Bleach!

Where to go for more

For more specifics on this release, see here: https://bleach.readthedocs.io/en/latest/changes.html#version-6-4-0-june-5th-2026

Documentation and quickstart here: https://bleach.readthedocs.io/en/latest/

Source code and issue tracker here: https://github.com/mozilla/bleach/

05 Jun 2026 1:00pm GMT

Highlights

James enabled adaptive autofill in Nightly for testing, which we believe should provide better results in the URL bar when doing autocomplete!
Jack updated the illustrations shown on some of our error pages to match the latest approved designs, giving users more polished artwork when the browser encounters connection or security errors!

Internet connection error page with an adorable Kit illustration

Controls for the Memories feature can now be set during Smart Window onboarding

Two radio button controls for the Smart Window Memories feature, including "Chats in Smart Window" and "Browsing across Firefox"

We've disabled the CSS filter implicitly applied to WebExtension pageAction SVG icons across all release channels starting in Firefox 152, completing the deprecation
- NOTE: The blog post published at WebExtensions API changes in Firefox 149-152 provides to extensions developers more details about this deprecation and links to the related MDN docs.

Friends of the Firefox team

Resolved bugs (excluding employees)

Script to find new contributors from bug list

Volunteers that fixed more than one bug

Amin Amir
Pranjali Srivastava
Sam Johnson

New contributors (🌟 = first patch)

Project Updates

Add-ons / Web Extensions

Addon Manager & about:addons

Fixed long-standing regression on the autocomplete and datalist popups for extension inline options pages on about:addons (introduced in Firefox 68 by Bug 1532724, fix shipping in Firefox 152) - Bug 1595158

WebExtensions Framework

Fixed access to web-accessible resources declared with <all_urls> from sandboxed documents (null-principal URLs), restoring extension redirects from the context-menu search flow, starting in Firefox 152 - Bug 2033905

WebExtension APIs

Added exhaustive test coverage for tabs.move() against additional edge cases related to split-view tabs - Bug 2029092

DevTools

Andreas Farre improved the Session History tab in the Application panel (still behind devtools.application.sessionHistory.enabled)
- added support for remote debugging (#2014064, #2016121)
- made sure that calls to History.replaceState are reflected in the UI (#2037359)
Julian Descottes [:jdescottes] fixed the most frequent DevTools crash we were observing in Telemetry, adding a guard against IDBTransaction errors when retrieving breakpoints in the Debugger (#2030260)
Nicolas Chevobbe [:nchevobbe] fixed the image preview tooltip for relative URLs images in constructed stylesheet (#2035503)
Julian Descottes [:jdescottes] reduced the overhead we had because of network requests monitoring by only decoding response content when the user actually want to see the response (#2026228)

WebDriver

Amin Amir cleaned up an incorrect variable assignment in our browsingContext module.
Logan Rosen updated stale references and broken links in our documentation about Marionette.
Sameem improved the Marionette and WebDriver BiDi screenshot commands to enforce maximum allowed dimensions.
Leo McArdle fixed the regression in the "log.entryAdded" event, which lacked an error message in the "text" field for the messages of type "error".
Henrik Skupin fixed an issue in Marionette where WebDriver:Navigate and WebDriver:Refresh did not handle errors when the underlying navigation failed.
Henrik Skupin improved geckodriver to detect an early Firefox exit during startup on Android, avoiding up to 60 seconds of unnecessary connection attempts.
Henrik Skupin updated the geckodriver CI build job to produce a universal macOS binary supporting both x64 and aarch64.

Lint, Docs and Workflow

Sylvestre ported some linters (e.g. file-whitespace, test-manifest-toml, license, file-perm, rejected-words & more) to Rust to help improve the runtime of the code review bot.
Dale has been working on migration to moz-src for customkeys, dom/quota and odom/geolocation
- https://arewemozsrcyet.com/

New Tab Page

We did our first region-specific trainhop on May 11th (just 15% of the US), and turned on HNT Nova (and sometimes Widgets) for those clients to get some advance-data of its behaviour in the wild! A note that HNT Nova gets turned on for everybody when Firefox 151 ships on May 19th.
- We'll be launching a similar experiment in the DE, probably on May 12th, also at 15% population.
Most of the team is heads down building out a sports-tracking widget, attempting to get that ready in time to be generally available for the upcoming World Cup event.
Dre landed a new world clock widget, which is currently off by default, but pretty snazzy!

World clock widget in New Tab featuring different time zones for YTO, BER, SYD, and LAX.

Search and Urlbar

Nova (URL Bar Design Refresh)
- Drew and Daisuke continued their work on Nova styling for the Address bar (input and view).
Search and Suggest
- Drew finalized two bugs for World Cup and sports suggestions, which were landed and uplifted: one to update the localization string for scheduled games and another to show both teams' icons in suggestions. Drew also landed and uplifted a fix for rich search suggestion icons being forced into a square aspect ratio.
- Standard8 updated Ecosia favicons to the latest branding, including QA testing and publishing.
Settings Redesign (SRD)
- Stephanie landed a test to ensure search suggestion settings are hidden when quicksuggest is disabled, as well as a patch to resolve TypeScript issues in search.mjs, and is adding test coverage to confirm removed search engines are not displayed in the default engines dropdown.
General URL Bar and Component Updates
- Daisuke landed implementation of the context menu on URL bar results, and a fix to show the loading URL in the URL bar when starting up with a homepage.
  - Marco is working on several tasks, including a PDF download / focus stealing issue and allowing arrays to be bound in Sqlite.sys.mjs. Marco also worked on fixes related to Places, such as avoiding replacing the favicons database if it is not corrupt.
- Standard8 finalized the URL bar test manifest split. Standard8 also upgraded us to TypeScript 6.
- Moritz landed a fix for URL bar abandonment telemetry being recorded when clicking an engine in the unified search button popup (Bug 2032973), which was also uplifted. Moritz also simplified search mode switcher item activation in tests, and made it so that the unified search button popup closes when installing an open search engine.

Smart Window

natural language starting with tab close/undo 2035343 with expandable action log 2031508

Tab close and undo actions in Smart Window accompanied by an expandable log of actions taken

assistant rendering feedback up/down 2032994 and markdown table 2027029
nova styling blur 2027877 and suggestions 2026823
accessibility screen reader 2028676 and keyboard focus 2037565
optimize conversation starters extra requests 2030005 and caching 2033430

Storybook/Reusable Components/Acorn Design System

Nova token updates occasionally, focused on SRD

UX Fundamentals

Added support for the "SEC_ERROR_CA_CERT_INVALID" certificate error to the Felt Privacy error pages. - 2035942

Settings Redesign

Settings redesign is being tested and will hopefully go out in Firefox 152!

03 Jun 2026 6:27pm GMT

Hello and welcome to another issue of This Week in Rust! Rust is a programming language empowering everyone to build reliable and efficient software. This is a weekly summary of its progress and community. Want something mentioned? Tag us at @thisweekinrust.bsky.social on Bluesky or @ThisWeekinRust on mastodon.social, or send us a pull request. Want to get involved? We love contributions.

This Week in Rust is openly developed on GitHub and archives can be viewed at this-week-in-rust.org. If you find any errors in this week's issue, please submit a PR.

Want TWIR in your inbox? Subscribe here.

Updates from Rust Community

Official

Launching the Rust Foundation Maintainers Fund

Project/Tooling Updates

Observations/Thoughts

Rust Walkthroughs

Research

Counterfactuals via the Causal Monad in Rust

Crate of the Week

This week's crate is remyx, a framework for building TUIs on top of Ratatui.

Thanks to Manuel Garcia de la Vega for the self-suggestion!

Please submit your suggestions and votes for next week!

Calls for Testing

An important step for RFC implementation is for people to experiment with the implementation and give feedback, especially before stabilization.

If you are a feature implementer and would like your RFC to appear in this list, add a call-for-testing label to your RFC along with a comment providing testing instructions and/or guidance on which aspect(s) of the feature need testing.

No calls for testing were issued this week by Rust, Cargo, Rustup or Rust language RFCs.

Let us know if you would like your feature to be tracked as a part of this list.

Call for Participation; projects and speakers

CFP - Projects

Always wanted to contribute to open-source projects but did not know where to start? Every week we highlight some tasks from the Rust community for you to pick and get started!

Some of these tasks may also have mentors available, visit the task page for more information.

If you are a Rust project owner and are looking for contributors, please submit tasks here or through a PR to TWiR or by reaching out on Bluesky or Mastodon!

CFP - Events

Are you a new or experienced speaker looking for a place to share something cool? This section highlights events that are being planned and are accepting submissions to join their event as a speaker.

Scientific Computing in Rust 2026| 2026-06-05 | Virtual | 2026-07-08 - 2026-07-10

If you are an event organizer hoping to expand the reach of your event, please submit a link to the website through a PR to TWiR or by reaching out on Bluesky or Mastodon!

Updates from the Rust Project

500 pull requests were merged in the last week

Compiler

Library

Cargo

Rustdoc

Clippy

Rust-Analyzer

Rust Compiler Performance Triage

This week we saw nice wins across the board thanks to merging several compiler queries together (#155678), and also substantial improvements in doc performance thanks to doing less work when sorting trait impls (#157179).

Triage done by @Kobzol. Revision range: 783eb8c8..4804ad7e

Summary:

(instructions:u)	mean	range	count
Regressions ❌ (primary)	0.3%	[0.1%, 0.7%]	14
Regressions ❌ (secondary)	0.4%	[0.1%, 0.9%]	39
Improvements ✅ (primary)	-0.9%	[-6.8%, -0.2%]	111
Improvements ✅ (secondary)	-1.1%	[-2.9%, -0.1%]	53
All ❌✅ (primary)	-0.8%	[-6.8%, 0.7%]	125

3 Regressions, 1 Improvement, 2 Mixed; 4 of them in rollups 35 artifact comparisons made in total

Full report here.

Approved RFCs

Changes to Rust follow the Rust RFC (request for comments) process. These are the RFCs that were approved for implementation this week:

No RFCs were approved this week.

Final Comment Period

Every week, the team announces the 'final comment period' for RFCs and key PRs which are reaching a decision. Express your opinions now.

Tracking Issues & PRs

Rust

Compiler Team (MCPs only)

Unsafe Code Guidelines

Can references to uninhabited types ever be valid?

No Items entered Final Comment Period this week for Rust RFCs, Cargo, Language Team, Language Reference or Leadership Council. Let us know if you would like your PRs, Tracking Issues or RFCs to be tracked as a part of this list.

2026-06-03 | Virtual (Indianapolis, IN, US) | Indy Rust
- Indy.rs - with Social Distancing
2026-06-04 | Virtual (Berlin, DE) | Rust Berlin
- Rust Hack and Learn
2026-06-04 | Virtual (Nürnberg, DE) | Rust Nuremberg
- Rust Nürnberg online
2026-06-04 | Virtual (Tel Aviv-yafo, IL) | Code Mavens 🦀 - 🐍 - 🐪
- Exploring FalkorDB - Learning to use a Graph Database in Rust
2026-06-06 | Virtual (Kampala, UG) | Rust Circle Meetup
- Rust Circle Meetup
2026-06-07 | Virtual (Dallas, TX, US) | Dallas Rust User Meetup
- Rust Deep Learning: First Sunday
2026-06-08 | Virtual (Cardiff, UK) | Rust and C++ Cardiff
- RustWeek Reflections
2026-06-09 | Virtual (Dallas, TX, US) | Dallas Rust User Meetup
- Second Tuesday
2026-06-09 | Virtual (London, UK) | Women in Rust
- 👋 Community Catch Up
2026-06-10 | Virtual (Girona, ES) | Rust Girona
- Weekly coding session
2026-06-16 | Virtual (Washington, DC, US) | Rust DC
- Mid-month Rustful
2026-06-17 | Hybrid (Vancouver, BC, CA) | Vancouver Rust
- Rust Study/Hack/Hang-out
2026-06-17 | Virtual (Girona, ES) | Rust Girona
- Weekly coding session
2026-06-18 | Hybrid (Seattle, WA, US) | Seattle Rust User Group
- June, 2026 SRUG (Seattle Rust User Group) Meetup
2026-06-18 | Virtual (Berlin, DE) | Rust Berlin
- Rust Hack and Learn
2026-06-21 | Virtual (Dallas, TX, US) | Dallas Rust User Meetup
- Rust Deep Learning: Third Sunday
2026-06-23 | Virtual (Dallas, TX, US) | Dallas Rust User Meetup
- Fourth Tuesday
2026-06-23 | Virtual (London, UK) | Women in Rust
- Lunch & Learn: What the heck are monads - and how do we fake them in Rust
2026-07-01 | Virtual (Indianapolis, IN, US) | Indy Rust
- Indy.rs - with Social Distancing

South America

2026-06-18 | Florianópolis, BR | Rust SC
- Rust Floripa

If you are running a Rust event please add it to the calendar to get it mentioned here. Please remember to add a link to the event too. Email the Rust Community Team for access.

Jobs

Please see the latest Who's Hiring thread on r/rust

Quote of the Week

If memory safety bugs were Waldo (Wally): finding them in C programs is a "Where's Waldo?" game, and Rust's unsafe simplifies it to "Is this Waldo?"

- kornel on rust-users

Thanks to Moy2010 for the suggestion!

Please submit quotes and vote for next week!

This Week in Rust is edited by:

Email list hosting is sponsored by The Rust Foundation

Discuss on r/rust

03 Jun 2026 4:00am GMT

fidzu : thunderbird

05 Jun 2026