Reputation: 829
I want to use text-style tags in django, but I don't want to be XSSed
In the website on which I'm working, users may send messages to each other. I want users to be able to use text-style tags such as < b > , < i > , and < u > to make text bold, italic and underlined respectively. But, in fact, I don't want to be XSSed with those < script > tags. Or perhaps a < b > with a mouseover attribute.
What's the easiest and the most secure way to do so?
I'm using django and jQuery if that matters.
Upvotes: 1
Views: 112
Answers (2)
Reputation: 11372
If you really want to use HTML tags, you should consider using Bleach.
>>> evil = "This <script>...</script> is partly <b>evil</b>"
>>> bleach.clean(evil)
u'This <script>...</script> is partly <b>evil</b>'
With clean you can explicitly whitelist the tags you want to allow. By using strip you also strip unallowed tags instead of escaping them:
>>> evil = "This uses <i>i</i> and <b title='hovertext'>b</b> and <em>em</em>"
>>> bleach.clean(evil, tags=["b"], attributes=dict(), strip=True)
u'This uses i and <b>b</b> and em'
Upvotes: 3
Reputation: 799044
Don't allow tags. Instead use one of the markup languages supported by Django which do not permit XSS attacks in the first place.
Upvotes: 3
Related Questions
- Django Template – Mark only certain HTML tags as safe
- Django escape only certain HTML tags
- Why don't Django HTML tags work in strings?
- How to avoid escape for Django tags in HTML
- What is easiest way to escape html tags, except some of those similar Bold,
- preventing xss hole in django
- Django: HTML tags displayed as text
- Markdown in Django XSS safe
- How do you escape tags in django templates?
- Django: allow safe html tags