Reputation: 797
Python and Django. Remove all js from html
I want to display user typed html (from WYSIWYG).
But I have some problems with removing js from html.
Here is my view:
def bad_view(request):
# in real project we got it from user
bad_html = '<p onclick="alert(0)">:((</p><script>alert(0);</script>'
return render(request, 'template.html', {'bad_html': bad_html})
Here code in my template:
{{ bad_html|safe }}
bad_html should be like this <p onclick="">:((</p>
What is best way to remove ALL js from this html?
For removing <script> I can use regex, but what about onclick handler(and other js handlers)?
Thanks for your advices!
Upvotes: 1
Views: 2247
Answers (2)
Reputation: 3138
I recommend using the bleach python library, it is designed to handle all sorts of special cases and be a complete solution for your problem
http://bleach.readthedocs.org/en/latest/index.html
Upvotes: 2
Reputation: 2443
Might I suggest a prebuilt solution for django https://www.djangopackages.com/grids/g/forms/ Most have some form of filter examples included. I am actually looking into TinyMCE myself.
More info is here Using safe filter in Django for rich text fields
Upvotes: 0
Related Questions
- Clean Up HTML in Python
- how to remove html tags in django template on browser while showing to user
- How to remove JavaScript & other tags using Python... without importing modules
- How to strip html/javascript from text input in django
- javascript django html tags
- How to remove Django HTML code dynamically
- Blocking HTML tags in a webpage
- How to remove all html tags from django template?
- Is there any method to remove javascript code from an HTML document?
- Strip javascript code before rendering in django templates