Sanitize HTML filter

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
from BeautifulSoup import BeautifulSoup, Comment
register = template.Library()


def sanitize_html(value):
    valid_tags = 'p i strong b u a h1 h2 h3 pre br img'.split()
    valid_attrs = 'href src'.split()
    soup = BeautifulSoup(value)
    for comment in soup.findAll(
        text=lambda text: isinstance(text, Comment)):
        comment.extract()
    for tag in soup.findAll(True):
        if tag.name not in valid_tags:
            tag.hidden = True
        tag.attrs = [(attr, val) for attr, val in tag.attrs
                     if attr in valid_attrs]
    return soup.renderContents().decode('utf8').replace('javascript:', '')

register.filter('santize', sanitize_html)

More like this

  1. CleanCharField by DvD 5 years, 8 months ago
  2. Updated - Template context debugger with (I)Pdb by dnordberg 3 years, 9 months ago
  3. Sanitize HTML filter with tag/attribute whitelist and XSS protection by harrym 3 years, 10 months ago
  4. Twitter oAuth example by henriklied 4 years, 2 months ago
  5. Sanitize text field HTML (here from the Dojo Toolkit Editor2 widget) by akaihola 6 years, 1 month ago

Comments

drg006 (on May 15, 2007):

This filter does not prevent case "insensitive XSS attack vector" and "embedded tab to break up the cross site scripting attack" documented here: http://ha.ckers.org/xss.html

#

chrominance (on July 30, 2007):

Might want to try changing the 'javascript' regex in the second-to-last line with this regex instead:

re.compile('j[\s]*(&#x.{1,7})?a[\s]*(&#x.{1,7})?v[\s]*(&#x.{1,7})?a[\s]*(&#x.{1,7})?
s[\s]*(&#x.{1,7})?c[\s]*(&#x.{1,7})?r[\s]*(&#x.{1,7})?i[\s]*(&#x.{1,7})?p[\s]*(&#x.{1,7})?t', re.IGNORECASE)

(all on one line, of course)

It's long and unwieldy but I think it catches the above issues, and then some (embedded entity tabs/linebreaks, for example).

#

schmiddy (on November 25, 2008):

Beware also of the typo on the last line. Author presumably meant to write "sanitize" instead of "santize".

#

Chuck Harmston (on December 23, 2009):

Here's how I solved the javascript link problem: 

def sanitize_html(value):
    import re
    valid_tags = 'a strong em code br'.split()
    valid_attrs = 'href src title'.split()
    soup = BeautifulSoup(value)
    for comment in soup.findAll(
        text=lambda text: isinstance(text, Comment)):
        comment.extract()
    for tag in soup.findAll(True):
        if tag.name not in valid_tags:
            tag.hidden = True
        else:
            for attr, val in tag.attrs:
                if re.match('javascript:', val, re.I) is not None:
                    tag.hidden = True
            tag.attrs = [(attr, val) for attr, val in tag.attrs if attr in valid_attrs]

    return soup.renderContents().decode('utf8')

Admittedly, not the best solution (looping over attrs twice isn't elegant), but it both solves the case-sensitivity problem and actually removes the <a href="javascript:"> tag, rather than just removing the href attribute.

#

ronnie (on May 20, 2011):

I added a new filter, which prevent better for XXS attacks. No configuration needed http://djangosnippets.org/snippets/2444/

#

DoraALEXANDER18 (on December 29, 2011):

All people deserve wealthy life and loan or just commercial loan would make it better. Just because people's freedom relies on money state.

#

(Forgotten your password?)