When using a JavaScript WYSIWYG editor widget for text area content, the resulting HTML should be sanitized so no unallowed HTML tags (esp. script tags) are present.
The BeautifulSoup library handles HTML processing in the solution presented above, so you should place it in the Python path.
The snippet also assumes that you have the Dojo Toolkit and its Editor2 widget loaded on your page.
Note: this snippet was originally written for use with Dojo Toolkit 0.4, and it hasn't been updated for 0.9 or 1.0.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | from django import newforms as forms
from BeautifulSoup import BeautifulSoup, Comment
class Editor2Field(forms.CharField):
widget=forms.widgets.Textarea(attrs={'dojoType': 'Editor2'})
valid_tags = 'p i strong b u a h1 h2 h3 pre br img'.split()
valid_attrs = 'href src'.split()
def clean(self, value):
"""
Cleans non-allowed HTML from the input.
"""
value = super(Editor2Field, self).clean(value)
soup = BeautifulSoup(value)
for comment in soup.findAll(
text=lambda text: isinstance(text, Comment)):
comment.extract()
for tag in soup.findAll(True):
if tag.name not in self.valid_tags:
tag.hidden = True
tag.attrs = [(attr, val) for attr, val in tag.attrs
if attr in self.valid_attrs]
return soup.renderContents().decode('utf8')
class TestForm(forms.Form):
title = forms.CharField()
content = Editor2Field()
|
More like this
- Template tag - list punctuation for a list of items by shapiromatron 10 months, 2 weeks ago
- JSONRequestMiddleware adds a .json() method to your HttpRequests by cdcarter 10 months, 3 weeks ago
- Serializer factory with Django Rest Framework by julio 1 year, 5 months ago
- Image compression before saving the new model / work with JPG, PNG by Schleidens 1 year, 6 months ago
- Help text hyperlinks by sa2812 1 year, 7 months ago
Comments
Nice snippet!
#
This is nice, but you should also look into href attributes to make sure they don't contain javascript code.
#
marcink: Thanks for the heads up. It's obviously a fatal mistake to have left out that check.
#
Please login first before commenting.