Login

HTML5 filter for XXS

Author:
ronnie
Posted:
May 20, 2011
Language:
Python
Version:
1.2
Tags:
template filter security sanitize xss
Score:
0 (after 0 ratings)

Usefull for TinyMCE, to allow some HTML but be vunarable by XXS attacks

You need to install html5lib

sudo easy_install html5lib

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
from django import template
from django.template.defaultfilters import stringfilter

register = template.Library()

import html5lib
from html5lib import sanitizer

@register.filter
@stringfilter
def sanitize(value):
    p = html5lib.HTMLParser(tokenizer=sanitizer.HTMLSanitizer)
    return p.parseFragment(value).toxml()

More like this

Comments

st0w (on May 30, 2011):
<p>Once change I had to make - despite trying to add</p> <pre>sanitize.is_safe = True </pre> <p>after the last line you had, Django was still interpreting the results of this as unsafe and proceeding to escape all the special characters. Which somewhat defeats the purpose of having a smart library like html5lib handle it. I had to add one import</p> <pre>from django.utils.safestring import mark_safe </pre> <p>and change your return statement to this:</p> <pre>return mark_safe(p.parseFragment(value).toxml()) </pre> <p>Thanks for the snippet!</p>

#

Please login first before commenting.