Repository files navigation

Django HTML Sanitizer provides a set of utilities to easily sanitize/escape/cleanHTML inputs in django. This app is built on top ofbleach,the excellent Python HTML sanitizer.

• django:http://djangoproject.com/
• bleach:http://github.com/jsocol/bleach

You'll first need to install the package (or download manually frompypi):

pip install django-html_sanitizer

And then addsanitizer to your INSTALLED_APPS in django'ssettings.py:

INSTALLED_APPS = (    # other apps    "sanitizer",)

Similar to bleach, django sanitizer is a whitelist (only allows specified tagsand attributes) based HTML sanitizer. Django sanitizer provides two model fieldsthat automatically sanitizes text values;SanitizedCharField andSanitizedTextField.

These fields accept extra arguments:

• allowed_tags: a list of allowed HTML tags
• allowed_attributes: a list of allowed HTML attributes, or a dictionary oftag keys with atttribute list for each key
• allowed_styles: a list of allowed styles if "style" is one of the allowedattributes
• strip: a boolean indicating whether offending tags/attributes should be escaped or stripped

Here's how to use it in django models:

from django.db import modelsfrom sanitizer.models import SanitizedCharField, SanitizedTextFieldclass MyModel(models.Model):    # Allow only <a>, <p>, <img> tags and "href" and "src" attributes    foo = SanitizedCharField(max_length=255, allowed_tags=['a', 'p', 'img'],                             allowed_attributes=['href', 'src'], strip=False)    bar = SanitizedTextField(max_length=255, allowed_tags=['a', 'p', 'img'],                             allowed_attributes=['href', 'src'], strip=False)    foo2 = SanitizedCharField(max_length=255, allowed_tags=['a', 'p', 'img'],                             allowed_attributes={'img':['src', 'style']},                             allowed_styles=['width', 'height'], strip=False)

Using django HTML sanitizer in django forms is very similar to model usage:

from django import formsfrom sanitizer.forms import SanitizedCharFieldclass MyForm(forms.Form):    # Allow only <a>, <p>, <img> tags and "href" and "src" attributes    foo = SanitizedCharField(max_length=255, allowed_tags=['a', 'p', 'img'],                             allowed_attributes=['href', 'src'], strip=False)    bar = SanitizedCharField(max_length=255, allowed_tags=['a', 'p', 'img'],                             allowed_attributes=['href', 'src'], strip=False, widget=forms.Textarea)    foo2 = SanitizedCharField(max_length=255, allowed_tags=['a', 'p', 'img'],                             allowed_attributes={'img':['src', 'style']},                             allowed_styles=['width', 'height'], strip=False)

Django sanitizer provides a few differents ways of cleaning HTML in templates.

Example usage:

{% load sanitizer %}{% escape_html post.content "a, p, img" "href, src, style" "width"%}

Assumingpost.content contains the string'<a href ="#"400px">Example</a><script>alert("x")</script>', the above tag willoutput:

'<a href ="#">Example</a>&lt;script&gt;alert("x")&lt;/script&gt;'

On django 1.4 you could also use keyword arguments:

{% escape_html '<a href="">bar</a>' allowed_tags="a,img" allowed_attributes="href,src" allowed_styles="width" %}

Example usage:

{% load sanitizer %}{% strip_html post.content "a, p, img" "href, src" %}

Ifpost.content contains the string'<a href ="#">Example</a><script>alert("x")</script>', this will give you:

'<a href ="#">Example</a>alert("x")'

Escapes HTML tags from string based on settings. To use this filter you need toput these variables on settings.py:

• SANITIZER_ALLOWED_TAGS - a list of allowed tags (defaults to an empty list)
• SANITIZER_ALLOWED_ATTRIBUTES - a list of allowed attributes (defaults to an empty list)
• SANITIZER_ALLOWED_STYLES - a list of allowed styles if the style attribute is set (defaults to an empty list)

For example if we haveSANITIZER_ALLOWED_TAGS = ['a'],SANITIZER_ALLOWED_ATTRIBUTES = ['href'],SANITIZER_ALLOWED_STYLES = ['width'] in settings.py, doing:

{% load sanitizer %}{{ post.content|escape_html }}

Ifpost.content contains the string'<a href ="#">Example</a><script>alert("x")</script>', it will give you:

'<a href ="#">Example</a>&lt;script&gt;alert("x")&lt;/script&gt;'

Similar toescape_html filter, except it strips out offending HTML tags.

For example if we haveSANITIZER_ALLOWED_TAGS = ['a'],SANITIZER_ALLOWED_ATTRIBUTES = ['href'] in settings.py, doing:

{% load sanitizer %}{{ post.content|strip_html }}

Ifpost.content contains the string'<a href ="#">Example</a><script>alert("x")</script>', we will get:

'<a href ="#">Example</a>alert("x")'

• Fixes for smart_unicode and basestring (python 3.x support)

• CharField,TextField,strip_html andescape_html now supportallowed_styles (thankscltrudeau,
• Added an example of template tag usage using kwargs now that Django 1.4 is out

• allowed_tags andallowed_attributes in CharField and TextField now default to []