Bump bleach from 4.1.0 to 5.0.0 (#1708)

* Bump bleach from 4.1.0 to 5.0.0

Bumps [bleach](https://github.com/mozilla/bleach) from 4.1.0 to 5.0.0.
- [Release notes](https://github.com/mozilla/bleach/releases)
- [Changelog](https://github.com/mozilla/bleach/blob/main/CHANGES)
- [Commits](https://github.com/mozilla/bleach/compare/v4.1.0...v5.0.0)

---
updated-dependencies:
- dependency-name: bleach
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update bleach==5.0.0

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: JonnyWong16 <9099342+JonnyWong16@users.noreply.github.com>

[skip ci]

lib/bleach/css_sanitizer.py

@@ -0,0 +1,104 @@
+import tinycss2
+
+
+ALLOWED_CSS_PROPERTIES = frozenset(
+    (
+        "azimuth",
+        "background-color",
+        "border-bottom-color",
+        "border-collapse",
+        "border-color",
+        "border-left-color",
+        "border-right-color",
+        "border-top-color",
+        "clear",
+        "color",
+        "cursor",
+        "direction",
+        "display",
+        "elevation",
+        "float",
+        "font",
+        "font-family",
+        "font-size",
+        "font-style",
+        "font-variant",
+        "font-weight",
+        "height",
+        "letter-spacing",
+        "line-height",
+        "overflow",
+        "pause",
+        "pause-after",
+        "pause-before",
+        "pitch",
+        "pitch-range",
+        "richness",
+        "speak",
+        "speak-header",
+        "speak-numeral",
+        "speak-punctuation",
+        "speech-rate",
+        "stress",
+        "text-align",
+        "text-decoration",
+        "text-indent",
+        "unicode-bidi",
+        "vertical-align",
+        "voice-family",
+        "volume",
+        "white-space",
+        "width",
+    )
+)
+
+
+ALLOWED_SVG_PROPERTIES = frozenset(
+    (
+        "fill",
+        "fill-opacity",
+        "fill-rule",
+        "stroke",
+        "stroke-width",
+        "stroke-linecap",
+        "stroke-linejoin",
+        "stroke-opacity",
+    )
+)
+
+
+class CSSSanitizer:
+    def __init__(
+        self,
+        allowed_css_properties=ALLOWED_CSS_PROPERTIES,
+        allowed_svg_properties=ALLOWED_SVG_PROPERTIES,
+    ):
+        self.allowed_css_properties = allowed_css_properties
+        self.allowed_svg_properties = allowed_svg_properties
+
+    def sanitize_css(self, style):
+        """Sanitizes css in style tags"""
+        parsed = tinycss2.parse_declaration_list(style)
+
+        if not parsed:
+            return ""
+
+        new_tokens = []
+        for token in parsed:
+            if token.type == "declaration":
+                if (
+                    token.lower_name in self.allowed_css_properties
+                    or token.lower_name in self.allowed_svg_properties
+                ):
+                    new_tokens.append(token)
+            elif token.type in ("comment", "whitespace"):
+                if new_tokens and new_tokens[-1].type != token.type:
+                    new_tokens.append(token)
+
+            # NOTE(willkg): We currently don't handle AtRule or ParseError and
+            # so both get silently thrown out
+
+        if not new_tokens:
+            return ""
+
+        return tinycss2.serialize(new_tokens).strip()