Provides a set of HTML cleaning utilities for django models, forms and templates.
Project description
Django HTML Sanitizer provides a set of utilities to easily sanitize/escape/clean HTML inputs in django. This app is built on top of bleach, the excellent Python HTML sanitizer.
Dependencies
Installation
You’ll first need to install the package:
pip install django-html_sanitizer
And then add sanitizer to your INSTALLED_APPS in django’s settings.py:
INSTALLED_APPS = ( # other apps "sanitizer", )
Model Usage
Similar to bleach, django sanitizer is a whitelist (only allows specified tags and attributes) based HTML sanitizer. Django sanitizer provides two model fields that automatically sanitizes text values; SanitizedCharField and SanitizedTextField.
These fields accept three extra arguments: - allowed_tags: a list of allowed HTML tags - allowed_attributes: a list of allowed HTML attributes - strip: a boolean indicating whether offending tags/attributes should be escaped or stripped
Here’s how to use it in django models:
from django.db import models from sanitizer.models import SanitizedCharField, SanitizedTextField class MyModel(models.Model): # Allow only <a>, <p>, <img> tags and "href" and "src" attributes foo = SanitizedCharField(max_length=255, allowed_tags=['a', 'p', 'img'], allowed_attributes=['href', 'src'], strip=False) bar = SanitizedTextField(max_length=255, allowed_tags=['a', 'p', 'img'], allowed_attributes=['href', 'src'], strip=False)
Form Usage
Using django HTML sanitizer in django forms is very similar to model usage:
from django import forms from sanitizer.forms import SanitizedCharField, SanitizedTextField class MyForm(forms.Form): # Allow only <a>, <p>, <img> tags and "href" and "src" attributes foo = SanitizedCharField(max_length=255, allowed_tags=['a', 'p', 'img'], allowed_attributes=['href', 'src'], strip=False) bar = SanitizedTextField(max_length=255, allowed_tags=['a', 'p', 'img'], allowed_attributes=['href', 'src'], strip=False)
Template Usage
Django sanitizer provides a few differents ways of cleaning HTML in templates.
escape_html Template Tag
Example usage:
{% load sanitizer %} {% escape_html post.content "a, p, img" "href, src" %}
Assuming post.content contains the string ‘<a href =”#”>Example</a><script>alert(“x”)</script>’, the above tag will output:
'<a href ="#">Example</a><script>alert("x")</script>'
strip_html Template Tag
Example usage:
{% load sanitizer %} {% strip_html post.content "a, p, img" "href, src" %}
If post.content contains the string ‘<a href =”#”>Example</a><script>alert(“x”)</script>’, this will give you:
'<a href ="#">Example</a>alert("x")'
escape_html Filter
Escapes HTML tags from string based on settings. To use this filter you need to put these variables on settings.py:
SANITIZER_ALLOWED_TAGS - a list of allowed tags (defaults to an empty list)
SANITIZER_ALLOWED_ATTRIBUTES - a list of allowed attributes (defaults to an empty list)
For example if we have SANITIZER_ALLOWED_TAGS = ['a'], SANITIZER_ALLOWED_ATTRIBUTES = ['href'] in settings.py, doing:
{% load sanitizer %} {{ post.content|escape_html }}
If post.content contains the string ‘<a href =”#”>Example</a><script>alert(“x”)</script>’, it will give you:
'<a href ="#">Example</a><script>alert("x")</script>'
strip_html Filter
Similar to escape_html filter, except it strips out offending HTML tags.
For example if we have SANITIZER_ALLOWED_TAGS = ['a'], SANITIZER_ALLOWED_ATTRIBUTES = ['href'] in settings.py, doing:
{% load sanitizer %} {{ post.content|strip_html }}
If post.content contains the string ‘<a href =”#”>Example</a><script>alert(“x”)</script>’, we will get:
'<a href ="#">Example</a>alert("x")'
Changelog
Version 0.1.2: allowed_tags and allowed_attributes in CharField and TextField now default to []
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Hashes for django-html_sanitizer-0.1.3.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 319cf6001ec63f2b39f81d54ae329c620bbf358adcb2cc65d48942324ea005fb |
|
MD5 | fce2d177407d4d35b978361f93e181a2 |
|
BLAKE2b-256 | f6d454aca9d2171a13a628aaff5d9f6a53cd3c5ed77d7d351000095f7ee7ce1b |