The way to do that would be to contact Stefan Behnel (https://github.com/scoder) directly. Although note that early 2022 the cleaner was officially deprecated / abandoned for any security-adjacent context: https://lxml.de/lxmlhtml.html#cleaning-up-html (see https://bugs.launchpad.net/lxml/+bug/1958539 for the motivating background) And because lbixml2's html parser is a non-html5 parser, it is a known source of compatibility issues. As a result I would assume any security report on the cleaner will be pointed to the sign, and told to use mozilla/bleach or somesuch (though bleach still direly needs a fast HTML5 parser) On 8/25/22 17:21, Tim McCormack wrote:

I have a couple of low-to-moderate severity vulnerabilities to report in lxml.html.clean (and would be happy to submit tests and patches). I did not see a designated security contact or reporting process. What process should I use?

- Tim McCormack _______________________________________________ lxml - The Python XML Toolkit mailing list -- lxml@python.org To unsubscribe send an email to lxml-leave@python.org https://mail.python.org/mailman3/lists/lxml.python.org/ Member address: xmo@odoo.com