36
Django comes with a template filter called striptags, which you can use in a template:
value|striptags
It uses the function strip_tags which lives in django.utils.html. You can utilize it also to clean your form data:
from django.utils.html import strip_tags
message = strip_tags(form.cleaned_data['message'])
55
strip_tags actually removes the tags from the input, which may not be what you want.
To convert a string to a "safe string" with angle brackets, ampersands and quotes converted to the corresponding HTML entities, you can use the escape filter:
from django.utils.html import escape
message = escape(form.cleaned_data['message'])
- [Django]-'RelatedManager' object is not iterable Django
- [Django]-Django Rest Framework, passing parameters with GET request, classed based views
- [Django]-IOError: request data read error
35
Alternatively, there is a Python library called bleach:
Bleach is a whitelist-based HTML sanitization and text linkification library. It is designed to take untrusted user input with some HTML.
Because Bleach uses
html5libto parse document fragments the same way browsers do, it is extremely resilient to unknown attacks, much more so than regular-expression-based sanitizers.
Example:
import bleach
message = bleach.clean(form.cleaned_data['message'],
tags=ALLOWED_TAGS,
attributes=ALLOWED_ATTRIBUTES,
styles=ALLOWED_STYLES,
strip=False, strip_comments=True)
- [Django]-Django Multiple Authentication Backend for one project
- [Django]-Filter Django objects where related object exists
- [Django]-How to implement followers/following in Django