Sanitizing HTML in submitted form data

python django forms sanitization
24,119

Solution 1

Django comes with a template filter called striptags, which you can use in a template:

value|striptags

It uses the function strip_tags which lives in django.utils.html. You can utilize it also to clean your form data:

from django.utils.html import strip_tags
message = strip_tags(form.cleaned_data['message'])

Solution 2

strip_tags actually removes the tags from the input, which may not be what you want.

To convert a string to a "safe string" with angle brackets, ampersands and quotes converted to the corresponding HTML entities, you can use the escape filter:

from django.utils.html import escape
message = escape(form.cleaned_data['message'])

Solution 3

Alternatively, there is a Python library called bleach:

Bleach is a whitelist-based HTML sanitization and text linkification library. It is designed to take untrusted user input with some HTML.

Because Bleach uses html5lib to parse document fragments the same way browsers do, it is extremely resilient to unknown attacks, much more so than regular-expression-based sanitizers.

Example:

import bleach
message = bleach.clean(form.cleaned_data['message'], 
                       tags=ALLOWED_TAGS,
                       attributes=ALLOWED_ATTRIBUTES, 
                       styles=ALLOWED_STYLES, 
                       strip=False, strip_comments=True)
Share:
24,119
abolotnov
Author by

abolotnov

it's a long story haha.

Updated on April 07, 2021

Comments

  • abolotnov
    abolotnov about 3 years

    Is there a generic "form sanitizer" that I can use to ensure all html/scripting is stripped off the submitted form? form.clean() doesn't seem to do any of that - html tags are all still in cleaned_data. Or actually doing this all manually (and override the clean() method for the form) is my only option?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

No URL to redirect to. Either provide a url or define a get_absolute_url method on the Model
Django form.errors not showing up in template
Django 'RequestContext' is not defined - forms.ModelForm
Add form fields to django form dynamically
Django, rendering a view from another view (call a specific URL)
Passing the value of selected option of dropdown value to django database
__init__() got an unexpected keyword argument 'required'
How do I include the id field in a django form?
Django - Forms - What does (?P<pk>\d+)/$ signify?
Cleaning form data in Django