Skip to main content

Provides a set of HTML cleaning utilities for django models, forms and templates.

Project description

Django HTML Sanitizer provides a set of utilities to easily sanitize/escape/clean HTML inputs in django. This app is built on top of bleach, the excellent Python HTML sanitizer.

Dependencies

Installation

You’ll first need to install the package:

pip install django-html_sanitizer

And then add sanitizer to your INSTALLED_APPS in django’s settings.py:

INSTALLED_APPS = (
    # other apps
    "sanitizer",
)

Model Usage

Similar to bleach, django sanitizer is a whitelist (only allows specified tags and attributes) based HTML sanitizer. Django sanitizer provides two model fields that automatically sanitizes text values; SanitizedCharField and SanitizedTextField.

These fields accept three extra arguments: - allowed_tags: a list of allowed HTML tags - allowed_attributes: a list of allowed HTML attributes - strip: a boolean indicating whether offending tags/attributes should be escaped or stripped

Here’s how to use it in django models:

from django.db import models
from sanitizer.models import SanitizedCharField, SanitizedTextField

class MyModel(models.Model):
    # Allow only <a>, <p>, <img> tags and "href" and "src" attributes
    foo = SanitizedCharField(max_length=255, allowed_tags=['a', 'p', 'img'],
                             allowed_attributes=['href', 'src'], strip=False)
    bar = SanitizedTextField(max_length=255, allowed_tags=['a', 'p', 'img'],
                             allowed_attributes=['href', 'src'], strip=False)

Form Usage

Using django HTML sanitizer in django forms is very similar to model usage:

from django import forms
from sanitizer.forms import SanitizedCharField, SanitizedTextField

class MyForm(forms.Form):
    # Allow only <a>, <p>, <img> tags and "href" and "src" attributes
    foo = SanitizedCharField(max_length=255, allowed_tags=['a', 'p', 'img'],
                             allowed_attributes=['href', 'src'], strip=False)
    bar = SanitizedTextField(max_length=255, allowed_tags=['a', 'p', 'img'],
                             allowed_attributes=['href', 'src'], strip=False)

Template Usage

Django sanitizer provides a few differents ways of cleaning HTML in templates.

escape_html Template Tag

Example usage:

{% load sanitizer %}
{% escape_html post.content "a, p, img" "href, src" %}

Assuming post.content contains the string ‘<a href =”#”>Example</a><script>alert(“x”)</script>’, the above tag will output:

'<a href ="#">Example</a>&lt;script&gt;alert("x")&lt;/script&gt;'

strip_html Template Tag

Example usage:

{% load sanitizer %}
{% strip_html post.content "a, p, img" "href, src" %}

If post.content contains the string ‘<a href =”#”>Example</a><script>alert(“x”)</script>’, this will give you:

'<a href ="#">Example</a>alert("x")'

escape_html Filter

Escapes HTML tags from string based on settings. To use this filter you need to put these variables on settings.py:

  • SANITIZER_ALLOWED_TAGS - a list of allowed tags (defaults to an empty list)

  • SANITIZER_ALLOWED_ATTRIBUTES - a list of allowed attributes (defaults to an empty list)

For example if we have SANITIZER_ALLOWED_TAGS = ['a'], SANITIZER_ALLOWED_ATTRIBUTES = ['href'] in settings.py, doing:

{% load sanitizer %}
{{ post.content|escape_html }}

If post.content contains the string ‘<a href =”#”>Example</a><script>alert(“x”)</script>’, it will give you:

'<a href ="#">Example</a>&lt;script&gt;alert("x")&lt;/script&gt;'

strip_html Filter

Similar to escape_html filter, except it strips out offending HTML tags.

For example if we have SANITIZER_ALLOWED_TAGS = ['a'], SANITIZER_ALLOWED_ATTRIBUTES = ['href'] in settings.py, doing:

{% load sanitizer %}
{{ post.content|strip_html }}

If post.content contains the string ‘<a href =”#”>Example</a><script>alert(“x”)</script>’, we will get:

'<a href ="#">Example</a>alert("x")'

Changelog

  • Version 0.1.2: allowed_tags and allowed_attributes in CharField and TextField now default to []

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-html_sanitizer-0.1.3.tar.gz (5.5 kB view details)

Uploaded Source

File details

Details for the file django-html_sanitizer-0.1.3.tar.gz.

File metadata

File hashes

Hashes for django-html_sanitizer-0.1.3.tar.gz
Algorithm Hash digest
SHA256 319cf6001ec63f2b39f81d54ae329c620bbf358adcb2cc65d48942324ea005fb
MD5 fce2d177407d4d35b978361f93e181a2
BLAKE2b-256 f6d454aca9d2171a13a628aaff5d9f6a53cd3c5ed77d7d351000095f7ee7ce1b

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page